Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible()

As implemented, this security policy would only prevent seeing processes in sub-jails, but would not prevent sending signals to, changing priority of or debugging processes in these, enabling attacks where unprivileged users could tamper with random processes in sub-jails in particular circumstances (conflated UIDs) despite the policy being enforced. PR: 272092 Reviewed by: mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40628
2024-11-23 07:31:31 +00:00 · 2023-08-18 01:54:38 +02:00 · 2023-08-18 01:54:38 +02:00 · 5817169bc4
commit 5817169bc4
parent e4a7b4f99c
2 changed files with 8 additions and 21 deletions
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@ -1471,11 +1471,7 @@ cr_cansee(struct ucred *u1, struct ucred *u2)
 	if ((error = mac_cred_check_visible(u1, u2)))
 		return (error);
 #endif
-	if ((error = cr_canseeotheruids(u1, u2)))
-		return (error);
-	if ((error = cr_canseeothergids(u1, u2)))
-		return (error);
-	if ((error = cr_canseejailproc(u1, u2)))
+	if ((error = cr_bsd_visible(u1, u2)))
 		return (error);
 	return (0);
 }
@ -1536,9 +1532,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
 	if ((error = mac_proc_check_signal(cred, proc, signum)))
 		return (error);
 #endif
-	if ((error = cr_canseeotheruids(cred, proc->p_ucred)))
-		return (error);
-	if ((error = cr_canseeothergids(cred, proc->p_ucred)))
+	if ((error = cr_bsd_visible(cred, proc->p_ucred)))
 		return (error);

 	/*
@ -1653,10 +1647,9 @@ p_cansched(struct thread *td, struct proc *p)
 	if ((error = mac_proc_check_sched(td->td_ucred, p)))
 		return (error);
 #endif
-	if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
-		return (error);
-	if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred)))
+	if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
 		return (error);
+
 	if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid &&
 	    td->td_ucred->cr_uid != p->p_ucred->cr_ruid) {
 		error = priv_check(td, PRIV_SCHED_DIFFCRED);
@ -1723,9 +1716,7 @@ p_candebug(struct thread *td, struct proc *p)
 	if ((error = mac_proc_check_debug(td->td_ucred, p)))
 		return (error);
 #endif
-	if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
-		return (error);
-	if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred)))
+	if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
 		return (error);

 	/*
@ -1815,9 +1806,7 @@ cr_canseesocket(struct ucred *cred, struct socket *so)
 	if (error)
 		return (error);
 #endif
-	if (cr_canseeotheruids(cred, so->so_cred))
-		return (ENOENT);
-	if (cr_canseeothergids(cred, so->so_cred))
+	if (cr_bsd_visible(cred, so->so_cred))
 		return (ENOENT);

 	return (0);
@ -1847,7 +1836,7 @@ p_canwait(struct thread *td, struct proc *p)
 #endif
 #if 0
 	/* XXXMAC: This could have odd effects on some shells. */
-	if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
+	if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
 		return (error);
 #endif

--- a/sys/netinet/in_prot.c
+++ b/sys/netinet/in_prot.c
@ -67,9 +67,7 @@ cr_canseeinpcb(struct ucred *cred, struct inpcb *inp)
 	if (error)
 		return (error);
 #endif
-	if (cr_canseeotheruids(cred, inp->inp_cred))
-		return (ENOENT);
-	if (cr_canseeothergids(cred, inp->inp_cred))
+	if (cr_bsd_visible(cred, inp->inp_cred))
 		return (ENOENT);

 	return (0);