Index: kern/kern_proc.c =================================================================== RCS file: /spare/freebsd/ncvs/src/sys/kern/kern_proc.c,v retrieving revision 1.101 diff -u -r1.101 kern_proc.c --- kern/kern_proc.c 12 Sep 2001 08:37:44 -0000 1.101 +++ kern/kern_proc.c 6 Oct 2001 03:16:41 -0000 @@ -59,10 +59,6 @@ static MALLOC_DEFINE(M_PROC, "proc", "Proc structures"); MALLOC_DEFINE(M_SUBPROC, "subproc", "Proc sub-structures"); -int ps_showallprocs = 1; -SYSCTL_INT(_kern, OID_AUTO, ps_showallprocs, CTLFLAG_RW, - &ps_showallprocs, 0, ""); - static void pgdelete __P((struct pgrp *)); static void orphanpg __P((struct pgrp *pg)); Index: kern/kern_prot.c =================================================================== RCS file: /spare/freebsd/ncvs/src/sys/kern/kern_prot.c,v retrieving revision 1.107 diff -u -r1.107 kern_prot.c --- kern/kern_prot.c 26 Sep 2001 20:41:48 -0000 1.107 +++ kern/kern_prot.c 6 Oct 2001 21:05:00 -0000 @@ -1299,7 +1299,6 @@ return (0); } - /* * Test (local, globale) securelevel values against passed required * securelevel. _gt implements (level > securelevel), and _ge implements @@ -1357,6 +1356,16 @@ } } +/* + * kern_security_seeotheruids_permitted determines whether or not visibility + * of processes and sockets with credentials holding different real uid's + * is possible using a variety of system MIBs. + */ +static int kern_security_seeotherruids_permitted = 1; +SYSCTL_INT(_kern_security, OID_AUTO, seeotheruids_permitted, + CTLFLAG_RW, &kern_security_seeotherruids_permitted, 0, + "Unprivileged processes may see subjects/objects with different real uid"); + /*- * Determine if u1 "can see" the subject specified by u2. * Returns: 0 for permitted, an errno value otherwise @@ -1372,7 +1381,8 @@ if ((error = prison_check(u1, u2))) return (error); - if (!ps_showallprocs && u1->cr_ruid != u2->cr_ruid) { + if (!kern_security_seeotherruids_permitted && + u1->cr_ruid != u2->cr_ruid) { if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) return (ESRCH); } Index: kern/uipc_socket.c =================================================================== RCS file: /spare/freebsd/ncvs/src/sys/kern/uipc_socket.c,v retrieving revision 1.101 diff -u -r1.101 uipc_socket.c --- kern/uipc_socket.c 5 Oct 2001 07:06:21 -0000 1.101 +++ kern/uipc_socket.c 6 Oct 2001 03:16:41 -0000 @@ -92,10 +92,6 @@ SYSCTL_INT(_kern_ipc, KIPC_SOMAXCONN, somaxconn, CTLFLAG_RW, &somaxconn, 0, "Maximum pending socket connection queue size"); -int showallsockets = 1; -SYSCTL_INT(_kern_ipc, OID_AUTO, showallsockets, CTLFLAG_RW, &showallsockets, - 0, "show users all other users pcb data"); - /* * Socket operation routines. * These routines are called by the routines in @@ -1656,21 +1652,6 @@ if (so == NULL) return (EPERM); if (so->so_cred->cr_uid == uid) - return (0); - return (EPERM); -} - -int -socheckproc(struct socket *so, struct proc *p) -{ - - if (p == NULL) - return (ESRCH); - if (socheckuid(so, p->p_ucred->cr_ruid) == 0) - return (0); - if (socheckuid(so, p->p_ucred->cr_uid) == 0) - return (0); - if (!suser_xxx(0, p, PRISON_ROOT)) return (0); return (EPERM); } Index: kern/uipc_usrreq.c =================================================================== RCS file: /spare/freebsd/ncvs/src/sys/kern/uipc_usrreq.c,v retrieving revision 1.73 diff -u -r1.73 uipc_usrreq.c --- kern/uipc_usrreq.c 5 Oct 2001 07:06:22 -0000 1.73 +++ kern/uipc_usrreq.c 6 Oct 2001 21:55:28 -0000 @@ -803,16 +803,6 @@ #endif static int -prison_unpcb(struct proc *p, struct unpcb *unp) -{ - if (!jailed(p->p_ucred)) - return (0); - if (p->p_fd->fd_rdir == unp->unp_rvnode) - return (0); - return (1); -} - -static int unp_pcblist(SYSCTL_HANDLER_ARGS) { int error, i, n; @@ -859,9 +849,9 @@ for (unp = LIST_FIRST(head), i = 0; unp && i < n; unp = LIST_NEXT(unp, unp_link)) { - if (unp->unp_gencnt <= gencnt && !prison_unpcb(req->p, unp)) { - if (!showallsockets && socheckproc(unp->unp_socket, - curthread->td_proc)) + if (unp->unp_gencnt <= gencnt) { + if (cr_cansee(req->p->p_ucred, + unp->unp_socket->so_cred)) continue; unp_list[i++] = unp; } Index: netinet/raw_ip.c =================================================================== RCS file: /spare/freebsd/ncvs/src/sys/netinet/raw_ip.c,v retrieving revision 1.84 diff -u -r1.84 raw_ip.c --- netinet/raw_ip.c 5 Oct 2001 07:06:31 -0000 1.84 +++ netinet/raw_ip.c 6 Oct 2001 21:27:52 -0000 @@ -630,8 +630,8 @@ for (inp = LIST_FIRST(ripcbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { if (inp->inp_gencnt <= gencnt) { - if (!showallsockets && socheckproc(inp->inp_socket, - curthread->td_proc)) + if (cr_cansee(req->p->p_ucred, + inp->inp_socket->so_cred)) continue; inp_list[i++] = inp; } Index: netinet/tcp_subr.c =================================================================== RCS file: /spare/freebsd/ncvs/src/sys/netinet/tcp_subr.c,v retrieving revision 1.115 diff -u -r1.115 tcp_subr.c --- netinet/tcp_subr.c 5 Oct 2001 07:06:31 -0000 1.115 +++ netinet/tcp_subr.c 6 Oct 2001 21:36:22 -0000 @@ -854,9 +854,9 @@ s = splnet(); for (inp = LIST_FIRST(tcbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { - if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) { - if (!showallsockets && socheckproc(inp->inp_socket, - curthread->td_proc)) + if (inp->inp_gencnt <= gencnt) { + if (cr_cansee(req->p->p_ucred, + inp->inp_socket->so_cred)) continue; inp_list[i++] = inp; } Index: netinet/udp_usrreq.c =================================================================== RCS file: /spare/freebsd/ncvs/src/sys/netinet/udp_usrreq.c,v retrieving revision 1.97 diff -u -r1.97 udp_usrreq.c --- netinet/udp_usrreq.c 5 Oct 2001 07:06:31 -0000 1.97 +++ netinet/udp_usrreq.c 6 Oct 2001 21:41:11 -0000 @@ -579,9 +579,9 @@ s = splnet(); for (inp = LIST_FIRST(udbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { - if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) { - if (!showallsockets && socheckproc(inp->inp_socket, - curthread->td_proc)) + if (inp->inp_gencnt <= gencnt) { + if (cr_cansee(req->p->p_ucred, + inp->inp_socket->so_cred)) continue; inp_list[i++] = inp; }