From sam@ada.eu.org  Sun Apr  9 06:30:23 2000
Return-Path: <sam@ada.eu.org>
Received: from ada.eu.org (marvin.enst.fr [137.194.161.2])
	by hub.freebsd.org (Postfix) with ESMTP id 72D1837B506
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  9 Apr 2000 06:30:01 -0700 (PDT)
	(envelope-from sam@ada.eu.org)
Received: from antinea.enst.fr (antinea.enst.fr [137.194.160.145])
	by ada.eu.org (Postfix) with ESMTP id B49C11905C
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  9 Apr 2000 15:29:38 +0200 (CEST)
Received: by antinea.enst.fr (Postfix, from userid 1000)
	id A609E3D9; Sun,  9 Apr 2000 15:29:32 +0200 (CEST)
Message-Id: <20000409132932.A609E3D9@antinea.enst.fr>
Date: Sun,  9 Apr 2000 15:29:32 +0200 (CEST)
From: sam@ada.eu.org
Reply-To: sam@ada.eu.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: Jail user can change priority of outside processes
X-Send-Pr-Version: 3.2

>Number:         17878
>Category:       kern
>Synopsis:       Jail user can change priority of outside processes
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    rwatson
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Apr  9 06:40:00 PDT 2000
>Closed-Date:    Mon Jun 5 11:21:07 PDT 2000
>Last-Modified:  Mon Jun 05 11:22:27 PDT 2000
>Originator:     Samuel Tardieu
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
TELECOM Paris
>Environment:

	Any jail wil do.

>Description:

	A user (such as root) in a jail is able to use setpriority() (e.g.,
	through the renice command) to lower the priority level (increase
	the nice value) of a process which lives outside.

>How-To-Repeat:

	From within the jail, try

	# renice 5 PID

	where PID is a regular process which lives out of the jail (and thus
	cannot be seen using ps from within the jail).

>Fix:

	The following patch should correct this. However, I wonder if
	functions such as pfind() should not take another argument which
	would be the curproc value when applicable. It would require changing
	all the pfind() calls in the kernel, but would add an extra
	security. Of course, processes iterators would still have to be
	modified to honor the jail.

	Also, note that real-time priorities may suffer from the same problem.

--- kern_resource.c.orig	Sun Apr  9 12:06:38 2000
+++ kern_resource.c	Sun Apr  9 12:31:53 2000
@@ -86,7 +86,7 @@
 			p = curp;
 		else
 			p = pfind(uap->who);
-		if (p == 0)
+		if (p == 0 || !PRISON_CHECK(curp, p))
 			break;
 		low = p->p_nice;
 		break;
@@ -98,6 +98,8 @@
 			pg = curp->p_pgrp;
 		else if ((pg = pgfind(uap->who)) == NULL)
 			break;
+		if (!PRISON_CHECK(curp, LIST_FIRST(&pg->pg_members)))
+			break;
 		LIST_FOREACH(p, &pg->pg_members, p_pglist) {
 			if (p->p_nice < low)
 				low = p->p_nice;
@@ -110,7 +112,8 @@
 			uap->who = curp->p_ucred->cr_uid;
 		LIST_FOREACH(p, &allproc, p_list)
 			if (p->p_ucred->cr_uid == uap->who &&
-			    p->p_nice < low)
+			    p->p_nice < low &&
+			    PRISON_CHECK(curp, p))
 				low = p->p_nice;
 		break;
 
@@ -146,7 +149,7 @@
 			p = curp;
 		else
 			p = pfind(uap->who);
-		if (p == 0)
+		if (p == 0 || !PRISON_CHECK(curp, p))
 			break;
 		error = donice(curp, p, uap->prio);
 		found++;
@@ -159,6 +162,8 @@
 			pg = curp->p_pgrp;
 		else if ((pg = pgfind(uap->who)) == NULL)
 			break;
+		if (!PRISON_CHECK(curp, LIST_FIRST(&pg->pg_members)))
+			break;
 		LIST_FOREACH(p, &pg->pg_members, p_pglist) {
 			error = donice(curp, p, uap->prio);
 			found++;
@@ -170,7 +175,8 @@
 		if (uap->who == 0)
 			uap->who = curp->p_ucred->cr_uid;
 		LIST_FOREACH(p, &allproc, p_list)
-			if (p->p_ucred->cr_uid == uap->who) {
+			if (p->p_ucred->cr_uid == uap->who &&
+			    PRISON_CHECK(curp, p)) {
 				error = donice(curp, p, uap->prio);
 				found++;
 			}
@@ -239,7 +245,7 @@
 	else
 		p = pfind(uap->pid);
 
-	if (p == 0)
+	if (p == 0 || !PRISON_CHECK(curp, p))
 		return (ESRCH);
 
 	switch (uap->function) {

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->phk 
Responsible-Changed-By: roberto 
Responsible-Changed-When: Tue Apr 11 02:13:57 PDT 2000 
Responsible-Changed-Why:  
jail is Poul-Henning's baby. 
Responsible-Changed-From-To: phk->rwatson 
Responsible-Changed-By: rwatson 
Responsible-Changed-When: Sat Jun 3 21:29:10 PDT 2000 
Responsible-Changed-Why:  
Applied a patch for this and another jail issue with IPv6.  The applied 
patch is a little bit different -- please check that it meets your needs 
and let me know if/if not so I can close the PR, or apply further changes. 
Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=17878 
State-Changed-From-To: open->closed 
State-Changed-By: rwatson 
State-Changed-When: Mon Jun 5 11:21:07 PDT 2000 
State-Changed-Why:  

Committed changes appear to work correctly in test environments.  Closing 
PR but it can be reopened if there are any further problems. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=17878 
>Unformatted:
