security.bsd.see_other_uids for jails
John Baldwin
jhb at freebsd.org
Wed May 31 13:04:35 PDT 2006
On Sunday 28 May 2006 11:25, David Malone wrote:
> On Sun, May 28, 2006 at 03:46:06PM +0200, Anatoli Klassen wrote:
> > if security.bsd.see_other_uids is set to 0, users from the main system
> > can still see processes from jails if they have (by accident) the save
uid.
> >
> > For me it's wrong behavior because the main system and the jail are two
> > different systems where uids are independent.
>
> You could try the following (untested) patch to the MAC seeotheruid
> module. You'd need to compile a kernel with the MAC option and then:
>
> kldload mac_seeotheruids
> sysctl security.mac.seeotheruids.enabled=1
> sysctl security.mac.seeotheruids.jail_match=1
>
> and I think it will do what you want. The module is very simple, so
> if it doesn't quite do what you want, then you may be able to tweak
> it to get what you want.
>
> David.
>
>
> Index: sys/security/mac_seeotheruids/mac_seeotheruids.c
> ===================================================================
> +static int
> +mac_seeotheruids_prison_check(struct ucred *u1, struct ucred *u2) {
> +
> + if (!jail_match)
> + return (0);
> +
> + if (u1->cr_prison == NULL && u2->cr_prison == NULL)
> + return (0);
> +
> + if (u1->cr_prison != NULL && u1->cr_prison == u2->cr_prison)
> + return (0);
> +
> + return (ESRCH);
> +}
Mostly off-topic, but couldn't you simplify the logic here slightly:
{
if (!jail_match)
return (0);
if (u1->cr_prison == u2->cr_prison)
return (0);
return (ESRCH);
}
--
John Baldwin
More information about the freebsd-hackers
mailing list