mirror of
https://git.FreeBSD.org/src.git
synced 2025-01-01 12:19:28 +00:00
Allow getcred sysctl to work in jailed root processes. Processes can
only do getcred calls for sockets which were created in the same jail. This should allow the ident to work in a reasonable way within jails. PR: 28107 Approved by: des, rwatson
This commit is contained in:
parent
5e209ca776
commit
7ce87f1205
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=78697
@ -900,7 +900,7 @@ tcp_getcred(SYSCTL_HANDLER_ARGS)
|
||||
struct inpcb *inp;
|
||||
int error, s;
|
||||
|
||||
error = suser(req->p);
|
||||
error = suser_xxx(0, req->p, PRISON_ROOT);
|
||||
if (error)
|
||||
return (error);
|
||||
error = SYSCTL_IN(req, addrs, sizeof(addrs));
|
||||
@ -913,6 +913,9 @@ tcp_getcred(SYSCTL_HANDLER_ARGS)
|
||||
error = ENOENT;
|
||||
goto out;
|
||||
}
|
||||
error = u_cansee(req->p->p_ucred, inp->inp_socket->so_cred);
|
||||
if (error)
|
||||
goto out;
|
||||
bzero(&xuc, sizeof(xuc));
|
||||
xuc.cr_uid = inp->inp_socket->so_cred->cr_uid;
|
||||
xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups;
|
||||
@ -924,8 +927,9 @@ tcp_getcred(SYSCTL_HANDLER_ARGS)
|
||||
return (error);
|
||||
}
|
||||
|
||||
SYSCTL_PROC(_net_inet_tcp, OID_AUTO, getcred, CTLTYPE_OPAQUE|CTLFLAG_RW,
|
||||
0, 0, tcp_getcred, "S,xucred", "Get the xucred of a TCP connection");
|
||||
SYSCTL_PROC(_net_inet_tcp, OID_AUTO, getcred,
|
||||
CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0,
|
||||
tcp_getcred, "S,xucred", "Get the xucred of a TCP connection");
|
||||
|
||||
#ifdef INET6
|
||||
static int
|
||||
@ -936,7 +940,7 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS)
|
||||
struct inpcb *inp;
|
||||
int error, s, mapped = 0;
|
||||
|
||||
error = suser(req->p);
|
||||
error = suser_xxx(0, req->p, PRISON_ROOT);
|
||||
if (error)
|
||||
return (error);
|
||||
error = SYSCTL_IN(req, addrs, sizeof(addrs));
|
||||
@ -965,6 +969,9 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS)
|
||||
error = ENOENT;
|
||||
goto out;
|
||||
}
|
||||
error = u_cansee(req->p->p_ucred, inp->inp_socket->so_cred);
|
||||
if (error)
|
||||
goto out;
|
||||
bzero(&xuc, sizeof(xuc));
|
||||
xuc.cr_uid = inp->inp_socket->so_cred->cr_uid;
|
||||
xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups;
|
||||
@ -976,9 +983,9 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS)
|
||||
return (error);
|
||||
}
|
||||
|
||||
SYSCTL_PROC(_net_inet6_tcp6, OID_AUTO, getcred, CTLTYPE_OPAQUE|CTLFLAG_RW,
|
||||
0, 0,
|
||||
tcp6_getcred, "S,xucred", "Get the xucred of a TCP6 connection");
|
||||
SYSCTL_PROC(_net_inet6_tcp6, OID_AUTO, getcred,
|
||||
CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0,
|
||||
tcp6_getcred, "S,xucred", "Get the xucred of a TCP6 connection");
|
||||
#endif
|
||||
|
||||
|
||||
|
@ -900,7 +900,7 @@ tcp_getcred(SYSCTL_HANDLER_ARGS)
|
||||
struct inpcb *inp;
|
||||
int error, s;
|
||||
|
||||
error = suser(req->p);
|
||||
error = suser_xxx(0, req->p, PRISON_ROOT);
|
||||
if (error)
|
||||
return (error);
|
||||
error = SYSCTL_IN(req, addrs, sizeof(addrs));
|
||||
@ -913,6 +913,9 @@ tcp_getcred(SYSCTL_HANDLER_ARGS)
|
||||
error = ENOENT;
|
||||
goto out;
|
||||
}
|
||||
error = u_cansee(req->p->p_ucred, inp->inp_socket->so_cred);
|
||||
if (error)
|
||||
goto out;
|
||||
bzero(&xuc, sizeof(xuc));
|
||||
xuc.cr_uid = inp->inp_socket->so_cred->cr_uid;
|
||||
xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups;
|
||||
@ -924,8 +927,9 @@ tcp_getcred(SYSCTL_HANDLER_ARGS)
|
||||
return (error);
|
||||
}
|
||||
|
||||
SYSCTL_PROC(_net_inet_tcp, OID_AUTO, getcred, CTLTYPE_OPAQUE|CTLFLAG_RW,
|
||||
0, 0, tcp_getcred, "S,xucred", "Get the xucred of a TCP connection");
|
||||
SYSCTL_PROC(_net_inet_tcp, OID_AUTO, getcred,
|
||||
CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0,
|
||||
tcp_getcred, "S,xucred", "Get the xucred of a TCP connection");
|
||||
|
||||
#ifdef INET6
|
||||
static int
|
||||
@ -936,7 +940,7 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS)
|
||||
struct inpcb *inp;
|
||||
int error, s, mapped = 0;
|
||||
|
||||
error = suser(req->p);
|
||||
error = suser_xxx(0, req->p, PRISON_ROOT);
|
||||
if (error)
|
||||
return (error);
|
||||
error = SYSCTL_IN(req, addrs, sizeof(addrs));
|
||||
@ -965,6 +969,9 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS)
|
||||
error = ENOENT;
|
||||
goto out;
|
||||
}
|
||||
error = u_cansee(req->p->p_ucred, inp->inp_socket->so_cred);
|
||||
if (error)
|
||||
goto out;
|
||||
bzero(&xuc, sizeof(xuc));
|
||||
xuc.cr_uid = inp->inp_socket->so_cred->cr_uid;
|
||||
xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups;
|
||||
@ -976,9 +983,9 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS)
|
||||
return (error);
|
||||
}
|
||||
|
||||
SYSCTL_PROC(_net_inet6_tcp6, OID_AUTO, getcred, CTLTYPE_OPAQUE|CTLFLAG_RW,
|
||||
0, 0,
|
||||
tcp6_getcred, "S,xucred", "Get the xucred of a TCP6 connection");
|
||||
SYSCTL_PROC(_net_inet6_tcp6, OID_AUTO, getcred,
|
||||
CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0,
|
||||
tcp6_getcred, "S,xucred", "Get the xucred of a TCP6 connection");
|
||||
#endif
|
||||
|
||||
|
||||
|
@ -628,7 +628,7 @@ udp_getcred(SYSCTL_HANDLER_ARGS)
|
||||
struct inpcb *inp;
|
||||
int error, s;
|
||||
|
||||
error = suser(req->p);
|
||||
error = suser_xxx(0, req->p, PRISON_ROOT);
|
||||
if (error)
|
||||
return (error);
|
||||
error = SYSCTL_IN(req, addrs, sizeof(addrs));
|
||||
@ -641,6 +641,9 @@ udp_getcred(SYSCTL_HANDLER_ARGS)
|
||||
error = ENOENT;
|
||||
goto out;
|
||||
}
|
||||
error = u_cansee(req->p->p_ucred, inp->inp_socket->so_cred);
|
||||
if (error)
|
||||
goto out;
|
||||
bzero(&xuc, sizeof(xuc));
|
||||
xuc.cr_uid = inp->inp_socket->so_cred->cr_uid;
|
||||
xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups;
|
||||
@ -652,8 +655,9 @@ udp_getcred(SYSCTL_HANDLER_ARGS)
|
||||
return (error);
|
||||
}
|
||||
|
||||
SYSCTL_PROC(_net_inet_udp, OID_AUTO, getcred, CTLTYPE_OPAQUE|CTLFLAG_RW,
|
||||
0, 0, udp_getcred, "S,xucred", "Get the xucred of a UDP connection");
|
||||
SYSCTL_PROC(_net_inet_udp, OID_AUTO, getcred,
|
||||
CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0,
|
||||
udp_getcred, "S,xucred", "Get the xucred of a UDP connection");
|
||||
|
||||
static int
|
||||
udp_output(inp, m, addr, control, p)
|
||||
|
Loading…
Reference in New Issue
Block a user