freebsd-src

mirror of https://github.com/freebsd/freebsd-src.git synced 2024-11-30 08:43:23 +00:00

History

Olivier Certner 9dad3ed1d1 cr_canseejailproc(): New privilege, no direct check for UID 0 Use priv_check_cred() with a new privilege (PRIV_SEEJAILPROC) instead of explicitly testing for UID 0 (the former has been the rule for almost 20 years). As a consequence, cr_canseejailproc() now abides by the 'security.bsd.suser_enabled' sysctl and MAC policies. Update the MAC policies Biba and LOMAC, and prison_priv_check() so that they don't deny this privilege. This preserves the existing behavior (the 'root' user is not restricted, even when jailed, unless 'security.bsd.suser_enabled' is not 0) and is consistent with what is done for the related policies/privileges (PRIV_SEEOTHERGIDS, PRIV_SEEOTHERUIDS). Reviewed by: emaste (earlier version), mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40626 (cherry picked from commit `7974ca1cdb`)	2023-10-17 16:42:58 -03:00
..
mac_biba.c	cr_canseejailproc(): New privilege, no direct check for UID 0	2023-10-17 16:42:58 -03:00
mac_biba.h	sys: Remove $FreeBSD$: two-line .h pattern	2023-08-16 11:54:11 -06:00

Olivier Certner 9dad3ed1d1 cr_canseejailproc(): New privilege, no direct check for UID 0

Use priv_check_cred() with a new privilege (PRIV_SEEJAILPROC) instead of
explicitly testing for UID 0 (the former has been the rule for almost 20
years).

As a consequence, cr_canseejailproc() now abides by the
'security.bsd.suser_enabled' sysctl and MAC policies.

Update the MAC policies Biba and LOMAC, and prison_priv_check() so that
they don't deny this privilege.  This preserves the existing behavior
(the 'root' user is not restricted, even when jailed, unless
'security.bsd.suser_enabled' is not 0) and is consistent with what is
done for the related policies/privileges (PRIV_SEEOTHERGIDS,
PRIV_SEEOTHERUIDS).

Reviewed by:            emaste (earlier version), mhorne
MFC after:              2 weeks
Sponsored by:           Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D40626

(cherry picked from commit 7974ca1cdb)

2023-10-17 16:42:58 -03:00

mac_biba.c cr_canseejailproc(): New privilege, no direct check for UID 0 2023-10-17 16:42:58 -03:00

mac_biba.h sys: Remove $FreeBSD$: two-line .h pattern 2023-08-16 11:54:11 -06:00