git: 9dad3ed1d15c - stable/14 - cr_canseejailproc(): New privilege, no direct check for UID 0
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 17 Oct 2023 19:43:23 UTC
The branch stable/14 has been updated by mhorne:
URL: https://cgit.FreeBSD.org/src/commit/?id=9dad3ed1d15c95c3eedb49c59e55bb25a7071250
commit 9dad3ed1d15c95c3eedb49c59e55bb25a7071250
Author: Olivier Certner <olce.freebsd@certner.fr>
AuthorDate: 2023-08-17 23:54:37 +0000
Commit: Mitchell Horne <mhorne@FreeBSD.org>
CommitDate: 2023-10-17 19:42:58 +0000
cr_canseejailproc(): New privilege, no direct check for UID 0
Use priv_check_cred() with a new privilege (PRIV_SEEJAILPROC) instead of
explicitly testing for UID 0 (the former has been the rule for almost 20
years).
As a consequence, cr_canseejailproc() now abides by the
'security.bsd.suser_enabled' sysctl and MAC policies.
Update the MAC policies Biba and LOMAC, and prison_priv_check() so that
they don't deny this privilege. This preserves the existing behavior
(the 'root' user is not restricted, even when jailed, unless
'security.bsd.suser_enabled' is not 0) and is consistent with what is
done for the related policies/privileges (PRIV_SEEOTHERGIDS,
PRIV_SEEOTHERUIDS).
Reviewed by: emaste (earlier version), mhorne
MFC after: 2 weeks
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40626
(cherry picked from commit 7974ca1cdbee949f5e453eea112be265b425c407)
---
sys/kern/kern_jail.c | 1 +
sys/kern/kern_prot.c | 7 +++++--
sys/security/mac_biba/mac_biba.c | 1 +
sys/security/mac_lomac/mac_lomac.c | 1 +
sys/sys/priv.h | 1 +
5 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 39bdcaf5ef0e..57e6024a9939 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -3938,6 +3938,7 @@ prison_priv_check(struct ucred *cred, int priv)
*/
case PRIV_SEEOTHERGIDS:
case PRIV_SEEOTHERUIDS:
+ case PRIV_SEEJAILPROC:
/*
* Jail implements inter-process debugging limits already, so
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 19e0b78c6709..ed15cb566499 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1426,9 +1426,12 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW,
int
cr_canseejailproc(struct ucred *u1, struct ucred *u2)
{
- if (u1->cr_uid == 0)
+ if (see_jail_proc || /* Policy deactivated. */
+ u1->cr_prison == u2->cr_prison || /* Same jail. */
+ priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */
return (0);
- return (!see_jail_proc && u1->cr_prison != u2->cr_prison ? ESRCH : 0);
+
+ return (ESRCH);
}
/*-
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 6948548503e1..5d66e2fd4b9b 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -1924,6 +1924,7 @@ biba_priv_check(struct ucred *cred, int priv)
*/
case PRIV_SEEOTHERGIDS:
case PRIV_SEEOTHERUIDS:
+ case PRIV_SEEJAILPROC:
break;
/*
diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c
index 05bd0da06960..aa9abf458721 100644
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@@ -1702,6 +1702,7 @@ lomac_priv_check(struct ucred *cred, int priv)
*/
case PRIV_SEEOTHERGIDS:
case PRIV_SEEOTHERUIDS:
+ case PRIV_SEEJAILPROC:
break;
/*
diff --git a/sys/sys/priv.h b/sys/sys/priv.h
index 45cb5bab4275..a61de8d32fe0 100644
--- a/sys/sys/priv.h
+++ b/sys/sys/priv.h
@@ -105,6 +105,7 @@
#define PRIV_CRED_SETRESGID 58 /* setresgid. */
#define PRIV_SEEOTHERGIDS 59 /* Exempt bsd.seeothergids. */
#define PRIV_SEEOTHERUIDS 60 /* Exempt bsd.seeotheruids. */
+#define PRIV_SEEJAILPROC 61 /* Exempt from bsd.see_jail_proc. */
/*
* Debugging privileges.