PERFORCE change 105883 for review

Robert Watson rwatson at FreeBSD.org
Sat Sep 9 10:07:01 UTC 2006 

http://perforce.freebsd.org/chv.cgi?CH=105883

Change 105883 by rwatson at rwatson_sesame on 2006/09/09 10:06:18

	Annotate inconsistencies in procfs access control.
	
	Annotate the oddness of WITNESS doing a privilege checkn in a
	sysctl.
	
	Annotate the oddness of uipc_mqueue with respect to jail.
	
	Update vfs_mount.c so that overriding the owner during mount is
	based on vfs_admin, which is generally allowed in jail; this is
	separate from other privilege checks elsewhere in the mount
	process.
	
	Complete rename of priv_vfs_mountowner.
	
	Convert vfs_syscalls.c to use the admin privilege rather than the
	revoke privilege.
	
	Annotate that the raw socket decision would be better made in the
	jail code than in the raw socket code.
	
	Convert IPv6 to allow privileged ports to be used in jail,
	consistent with IPv4.
	
	Don't allow managing IPSEC in jail.
	
	Don't limit querying netinet IPv6 pcb information in jail based
	on a privilege check, there are separate visibility checks for
	that.
	
	In mac_portacl, exempt jailed root, similar to other places where
	root can bind ports.

Affected files ...

.. //depot/projects/trustedbsd/priv/sys/fs/procfs/procfs_ioctl.c#3 edit
.. //depot/projects/trustedbsd/priv/sys/kern/subr_witness.c#3 edit
.. //depot/projects/trustedbsd/priv/sys/kern/uipc_mqueue.c#3 edit
.. //depot/projects/trustedbsd/priv/sys/kern/vfs_mount.c#3 edit
.. //depot/projects/trustedbsd/priv/sys/kern/vfs_subr.c#3 edit
.. //depot/projects/trustedbsd/priv/sys/kern/vfs_syscalls.c#3 edit
.. //depot/projects/trustedbsd/priv/sys/netinet/raw_ip.c#3 edit
.. //depot/projects/trustedbsd/priv/sys/netinet6/in6_src.c#3 edit
.. //depot/projects/trustedbsd/priv/sys/netinet6/ipsec.c#3 edit
.. //depot/projects/trustedbsd/priv/sys/netinet6/udp6_usrreq.c#3 edit
.. //depot/projects/trustedbsd/priv/sys/netipsec/ipsec_osdep.h#3 edit
.. //depot/projects/trustedbsd/priv/sys/security/mac_portacl/mac_portacl.c#3 edit

Differences ...

==== //depot/projects/trustedbsd/priv/sys/fs/procfs/procfs_ioctl.c#3 (text+ko) ====

@@ -92,6 +92,9 @@
 			 * XXXRW: Is this specific check required here, as
 			 * p_candebug() should implement it, or other checks
 			 * are missing.
+			 *
+			 * XXXRW: Other debugging privileges are granted in
+			 * jail, why isn't this?
 			 */
 			error = priv_check(td, PRIV_DEBUG_SUGID);
 			if (error)

==== //depot/projects/trustedbsd/priv/sys/kern/subr_witness.c#3 (text+ko) ====

@@ -533,6 +533,9 @@
 	error = sysctl_handle_int(oidp, &value, 0, req);
 	if (error != 0 || req->newptr == NULL)
 		return (error);
+	/*
+	 * XXXRW: Why a priv check here?
+	 */
 	error = priv_check(req->td, PRIV_WITNESS);
 	if (error != 0)
 		return (error);

==== //depot/projects/trustedbsd/priv/sys/kern/uipc_mqueue.c#3 (text+ko) ====

@@ -954,6 +954,10 @@
 
 	sx_assert(&pn->mn_info->mi_lock, SX_LOCKED);
 
+	/*
+	 * XXXRW: Other instances of the message queue primitive are
+	 * allowed in jail?
+	 */
 	if (ucred->cr_uid != pn->mn_uid &&
 	    (error = priv_check_cred(ucred, PRIV_MQ_ADMIN, 0)) != 0)
 		error = EACCES;

==== //depot/projects/trustedbsd/priv/sys/kern/vfs_mount.c#3 (text+ko) ====

@@ -908,7 +908,8 @@
 			return (error);
 		}
 		if (va.va_uid != td->td_ucred->cr_uid) {
-			error = priv_check(td, PRIV_VFS_ADMIN);
+			error = priv_check_cred(td->td_ucred, PRIV_VFS_ADMIN,
+			    SUSER_ALLOWJAIL);
 			if (error) {
 				vput(vp);
 				return (error);

==== //depot/projects/trustedbsd/priv/sys/kern/vfs_subr.c#3 (text+ko) ====

@@ -407,7 +407,7 @@
 
 	if ((mp->mnt_flag & MNT_USER) == 0 ||
 	    mp->mnt_cred->cr_uid != td->td_ucred->cr_uid) {
-		if ((error = priv_check(td, PRIV_VFS_MOUNTOWNER)) != 0)
+		if ((error = priv_check(td, PRIV_VFS_MOUNT_OWNER)) != 0)
 			return (error);
 	}
 	return (0);

==== //depot/projects/trustedbsd/priv/sys/kern/vfs_syscalls.c#3 (text+ko) ====

@@ -3892,7 +3892,7 @@
 	if (error)
 		goto out;
 	if (td->td_ucred->cr_uid != vattr.va_uid) {
-		error = priv_check_cred(td->td_ucred, PRIV_VFS_REVOKE,
+		error = priv_check_cred(td->td_ucred, PRIV_VFS_ADMIN,
 		    SUSER_ALLOWJAIL);
 		if (error)
 			goto out;

==== //depot/projects/trustedbsd/priv/sys/netinet/raw_ip.c#3 (text+ko) ====

@@ -605,6 +605,9 @@
 
 	inp = sotoinpcb(so);
 	KASSERT(inp == NULL, ("rip_attach: inp != NULL"));
+	/*
+	 * XXXRW: Centralize privilege decision in kern_jail.c.
+	 */
 	if (jailed(td->td_ucred) && !jail_allow_raw_sockets)
 		return (EPERM);
 	error = priv_check_cred(td->td_ucred, PRIV_NETINET_RAW,

==== //depot/projects/trustedbsd/priv/sys/netinet6/in6_src.c#3 (text+ko) ====

@@ -773,7 +773,8 @@
 		last  = ipport_hilastauto;
 		lastport = &pcbinfo->lasthi;
 	} else if (inp->inp_flags & INP_LOWPORT) {
-		error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, 0);
+		error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT,
+		    SUSER_ALLOWJAIL);
 		if (error)
 			return error;
 		first = ipport_lowfirstauto;	/* 1023 */

==== //depot/projects/trustedbsd/priv/sys/netinet6/ipsec.c#3 (text+ko) ====

@@ -1225,9 +1225,11 @@
 	/*
 	 * XXXRW: Can we avoid caching the privilege decision here, and
 	 * instead cache the credential?
+	 *
+	 * XXXRW: Why is suser_allowjail set here?
 	 */
 	if (so->so_cred != NULL && priv_check_cred(so->so_cred,
-	    PRIV_NETINET_IPSEC, SUSER_ALLOWJAIL) == 0)
+	    PRIV_NETINET_IPSEC, 0) == 0)
 		new->priv = 1;
 	else
 		new->priv = 0;

==== //depot/projects/trustedbsd/priv/sys/netinet6/udp6_usrreq.c#3 (text+ko) ====

@@ -435,7 +435,8 @@
 	struct inpcb *inp;
 	int error;
 
-	error = priv_check(req->td, PRIV_NETINET_GETCRED);
+	error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED,
+	    SUSER_ALLOWJAIL);
 	if (error)
 		return (error);
 

==== //depot/projects/trustedbsd/priv/sys/netipsec/ipsec_osdep.h#3 (text+ko) ====

@@ -215,11 +215,12 @@
  * NetBSD (1.6N) tests (so)->so_uid == 0).
  * This difference is wrapped inside  the IPSEC_PRIVILEGED_SO() macro.
  *
+ * XXXRW: Why was this suser_allowjail?
  */
 #ifdef __FreeBSD__ 
 #define IPSEC_IS_PRIVILEGED_SO(_so) \
 	((_so)->so_cred != NULL && \
-	 priv_check_cred((_so)->so_cred, PRIV_NETINET_IPSECSUSER_ALLOWJAIL) \
+	 priv_check_cred((_so)->so_cred, PRIV_NETINET_IPSEC, 0) \
 	 == 0)
 #endif	/* __FreeBSD__ */
 

==== //depot/projects/trustedbsd/priv/sys/security/mac_portacl/mac_portacl.c#3 (text+ko) ====

@@ -428,7 +428,8 @@
 	mtx_unlock(&rule_mtx);
 
 	if (error != 0 && mac_portacl_suser_exempt != 0)
-		error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, 0);
+		error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT,
+		    SUSER_ALLOWJAIL);
 
 	return (error);
 }

More information about the trustedbsd-cvs mailing list