cr_canseejailproc(): New privilege, no direct check for UID 0

Use priv_check_cred() with a new privilege (PRIV_SEEJAILPROC) instead of explicitly testing for UID 0 (the former has been the rule for almost 20 years). As a consequence, cr_canseejailproc() now abides by the 'security.bsd.suser_enabled' sysctl and MAC policies. Update the MAC policies Biba and LOMAC, and prison_priv_check() so that they don't deny this privilege. This preserves the existing behavior (the 'root' user is not restricted, even when jailed, unless 'security.bsd.suser_enabled' is not 0) and is consistent with what is done for the related policies/privileges (PRIV_SEEOTHERGIDS, PRIV_SEEOTHERUIDS). Reviewed by: emaste (earlier version), mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40626 (cherry picked from commit 7974ca1cdb)
2024-11-30 10:52:50 +00:00 · 2023-08-18 01:54:37 +02:00 · 2023-08-18 01:54:37 +02:00 · 9dad3ed1d1
commit 9dad3ed1d1
parent 6eae573dc2
5 changed files with 9 additions and 2 deletions
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@ -3938,6 +3938,7 @@ prison_priv_check(struct ucred *cred, int priv)
 		 */
 	case PRIV_SEEOTHERGIDS:
 	case PRIV_SEEOTHERUIDS:
+	case PRIV_SEEJAILPROC:

 		/*
 		 * Jail implements inter-process debugging limits already, so
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@ -1426,9 +1426,12 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW,
 int
 cr_canseejailproc(struct ucred *u1, struct ucred *u2)
 {
-	if (u1->cr_uid == 0)
+	if (see_jail_proc || /* Policy deactivated. */
+	    u1->cr_prison == u2->cr_prison || /* Same jail. */
+	    priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */
 		return (0);
-	return (!see_jail_proc && u1->cr_prison != u2->cr_prison ? ESRCH : 0);
+
+	return (ESRCH);
 }

 /*-
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@ -1924,6 +1924,7 @@ biba_priv_check(struct ucred *cred, int priv)
 	 */
 	case PRIV_SEEOTHERGIDS:
 	case PRIV_SEEOTHERUIDS:
+	case PRIV_SEEJAILPROC:
 		break;

 	/*
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@ -1702,6 +1702,7 @@ lomac_priv_check(struct ucred *cred, int priv)
 	 */
 	case PRIV_SEEOTHERGIDS:
 	case PRIV_SEEOTHERUIDS:
+	case PRIV_SEEJAILPROC:
 		break;

 	/*
--- a/sys/sys/priv.h
+++ b/sys/sys/priv.h
@ -105,6 +105,7 @@
 #define	PRIV_CRED_SETRESGID	58	/* setresgid. */
 #define	PRIV_SEEOTHERGIDS	59	/* Exempt bsd.seeothergids. */
 #define	PRIV_SEEOTHERUIDS	60	/* Exempt bsd.seeotheruids. */
+#define	PRIV_SEEJAILPROC        61      /* Exempt from bsd.see_jail_proc. */

 /*
 * Debugging privileges.