1
0
mirror of https://git.FreeBSD.org/src.git synced 2025-01-04 12:52:15 +00:00

Allow getcred sysctl to work in jailed root processes. Processes can

only do getcred calls for sockets which were created in the same jail.
This should allow the ident to work in a reasonable way within jails.

PR:		28107
Approved by:	des, rwatson
This commit is contained in:
David Malone 2001-06-24 12:18:27 +00:00
parent 5e209ca776
commit 7ce87f1205
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=78697
3 changed files with 35 additions and 17 deletions

View File

@ -900,7 +900,7 @@ tcp_getcred(SYSCTL_HANDLER_ARGS)
struct inpcb *inp; struct inpcb *inp;
int error, s; int error, s;
error = suser(req->p); error = suser_xxx(0, req->p, PRISON_ROOT);
if (error) if (error)
return (error); return (error);
error = SYSCTL_IN(req, addrs, sizeof(addrs)); error = SYSCTL_IN(req, addrs, sizeof(addrs));
@ -913,6 +913,9 @@ tcp_getcred(SYSCTL_HANDLER_ARGS)
error = ENOENT; error = ENOENT;
goto out; goto out;
} }
error = u_cansee(req->p->p_ucred, inp->inp_socket->so_cred);
if (error)
goto out;
bzero(&xuc, sizeof(xuc)); bzero(&xuc, sizeof(xuc));
xuc.cr_uid = inp->inp_socket->so_cred->cr_uid; xuc.cr_uid = inp->inp_socket->so_cred->cr_uid;
xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups; xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups;
@ -924,8 +927,9 @@ tcp_getcred(SYSCTL_HANDLER_ARGS)
return (error); return (error);
} }
SYSCTL_PROC(_net_inet_tcp, OID_AUTO, getcred, CTLTYPE_OPAQUE|CTLFLAG_RW, SYSCTL_PROC(_net_inet_tcp, OID_AUTO, getcred,
0, 0, tcp_getcred, "S,xucred", "Get the xucred of a TCP connection"); CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0,
tcp_getcred, "S,xucred", "Get the xucred of a TCP connection");
#ifdef INET6 #ifdef INET6
static int static int
@ -936,7 +940,7 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS)
struct inpcb *inp; struct inpcb *inp;
int error, s, mapped = 0; int error, s, mapped = 0;
error = suser(req->p); error = suser_xxx(0, req->p, PRISON_ROOT);
if (error) if (error)
return (error); return (error);
error = SYSCTL_IN(req, addrs, sizeof(addrs)); error = SYSCTL_IN(req, addrs, sizeof(addrs));
@ -965,6 +969,9 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS)
error = ENOENT; error = ENOENT;
goto out; goto out;
} }
error = u_cansee(req->p->p_ucred, inp->inp_socket->so_cred);
if (error)
goto out;
bzero(&xuc, sizeof(xuc)); bzero(&xuc, sizeof(xuc));
xuc.cr_uid = inp->inp_socket->so_cred->cr_uid; xuc.cr_uid = inp->inp_socket->so_cred->cr_uid;
xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups; xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups;
@ -976,9 +983,9 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS)
return (error); return (error);
} }
SYSCTL_PROC(_net_inet6_tcp6, OID_AUTO, getcred, CTLTYPE_OPAQUE|CTLFLAG_RW, SYSCTL_PROC(_net_inet6_tcp6, OID_AUTO, getcred,
0, 0, CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0,
tcp6_getcred, "S,xucred", "Get the xucred of a TCP6 connection"); tcp6_getcred, "S,xucred", "Get the xucred of a TCP6 connection");
#endif #endif

View File

@ -900,7 +900,7 @@ tcp_getcred(SYSCTL_HANDLER_ARGS)
struct inpcb *inp; struct inpcb *inp;
int error, s; int error, s;
error = suser(req->p); error = suser_xxx(0, req->p, PRISON_ROOT);
if (error) if (error)
return (error); return (error);
error = SYSCTL_IN(req, addrs, sizeof(addrs)); error = SYSCTL_IN(req, addrs, sizeof(addrs));
@ -913,6 +913,9 @@ tcp_getcred(SYSCTL_HANDLER_ARGS)
error = ENOENT; error = ENOENT;
goto out; goto out;
} }
error = u_cansee(req->p->p_ucred, inp->inp_socket->so_cred);
if (error)
goto out;
bzero(&xuc, sizeof(xuc)); bzero(&xuc, sizeof(xuc));
xuc.cr_uid = inp->inp_socket->so_cred->cr_uid; xuc.cr_uid = inp->inp_socket->so_cred->cr_uid;
xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups; xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups;
@ -924,8 +927,9 @@ tcp_getcred(SYSCTL_HANDLER_ARGS)
return (error); return (error);
} }
SYSCTL_PROC(_net_inet_tcp, OID_AUTO, getcred, CTLTYPE_OPAQUE|CTLFLAG_RW, SYSCTL_PROC(_net_inet_tcp, OID_AUTO, getcred,
0, 0, tcp_getcred, "S,xucred", "Get the xucred of a TCP connection"); CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0,
tcp_getcred, "S,xucred", "Get the xucred of a TCP connection");
#ifdef INET6 #ifdef INET6
static int static int
@ -936,7 +940,7 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS)
struct inpcb *inp; struct inpcb *inp;
int error, s, mapped = 0; int error, s, mapped = 0;
error = suser(req->p); error = suser_xxx(0, req->p, PRISON_ROOT);
if (error) if (error)
return (error); return (error);
error = SYSCTL_IN(req, addrs, sizeof(addrs)); error = SYSCTL_IN(req, addrs, sizeof(addrs));
@ -965,6 +969,9 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS)
error = ENOENT; error = ENOENT;
goto out; goto out;
} }
error = u_cansee(req->p->p_ucred, inp->inp_socket->so_cred);
if (error)
goto out;
bzero(&xuc, sizeof(xuc)); bzero(&xuc, sizeof(xuc));
xuc.cr_uid = inp->inp_socket->so_cred->cr_uid; xuc.cr_uid = inp->inp_socket->so_cred->cr_uid;
xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups; xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups;
@ -976,9 +983,9 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS)
return (error); return (error);
} }
SYSCTL_PROC(_net_inet6_tcp6, OID_AUTO, getcred, CTLTYPE_OPAQUE|CTLFLAG_RW, SYSCTL_PROC(_net_inet6_tcp6, OID_AUTO, getcred,
0, 0, CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0,
tcp6_getcred, "S,xucred", "Get the xucred of a TCP6 connection"); tcp6_getcred, "S,xucred", "Get the xucred of a TCP6 connection");
#endif #endif

View File

@ -628,7 +628,7 @@ udp_getcred(SYSCTL_HANDLER_ARGS)
struct inpcb *inp; struct inpcb *inp;
int error, s; int error, s;
error = suser(req->p); error = suser_xxx(0, req->p, PRISON_ROOT);
if (error) if (error)
return (error); return (error);
error = SYSCTL_IN(req, addrs, sizeof(addrs)); error = SYSCTL_IN(req, addrs, sizeof(addrs));
@ -641,6 +641,9 @@ udp_getcred(SYSCTL_HANDLER_ARGS)
error = ENOENT; error = ENOENT;
goto out; goto out;
} }
error = u_cansee(req->p->p_ucred, inp->inp_socket->so_cred);
if (error)
goto out;
bzero(&xuc, sizeof(xuc)); bzero(&xuc, sizeof(xuc));
xuc.cr_uid = inp->inp_socket->so_cred->cr_uid; xuc.cr_uid = inp->inp_socket->so_cred->cr_uid;
xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups; xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups;
@ -652,8 +655,9 @@ udp_getcred(SYSCTL_HANDLER_ARGS)
return (error); return (error);
} }
SYSCTL_PROC(_net_inet_udp, OID_AUTO, getcred, CTLTYPE_OPAQUE|CTLFLAG_RW, SYSCTL_PROC(_net_inet_udp, OID_AUTO, getcred,
0, 0, udp_getcred, "S,xucred", "Get the xucred of a UDP connection"); CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0,
udp_getcred, "S,xucred", "Get the xucred of a UDP connection");
static int static int
udp_output(inp, m, addr, control, p) udp_output(inp, m, addr, control, p)