=== Process Visibility Security Policies Links: + link:https://reviews.freebsd.org/D40626[Start of the reviews stack] URL: link:https://reviews.freebsd.org/D40626[] Contact: Olivier Certner ==== Context FreeBSD implements three built-in security policies that limit which processes are visible to particular users, with the goal of preventing information leaks and unwanted interactions. The first one can prevent an unprivileged user from seeing or interacting with processes that do not have the user's UID as their real UID. It can be activated by setting the sysctl `security.bsd.see_other_uids` to 0 (default is 1). The second one can prevent an unprivileged user from seeing or interacting with processes whose credentials do not have any group that the user is a member of. It can be activated by setting the sysctl `security.bsd.see_other_gids` to 0 (default is 1). The third one can prevent an unprivileged user's process from seeing or interacting with processes that are in a jail that is a strict sub-jail of the former. The jail subsystem already prevents such a process to see processes in jails that are not descendant of its own (see man:jail[8] and in particular the section "Hierarchical Jails"). One possible use of this policy is, in conjunction with the first one above, to hide processes in sub-jails that have the same real UID as some user in an ancestor jail, because users having identical UIDs in these different jails are logically considered as different users. It can be activated by setting the sysctl `security.bsd.see_jail_proc` to 0 (default is 1). After a review of these policies' code and real world testing, we noticed a number of problems and limitations which prompted us to work on this topic. ==== Changes The policy controlled by the `security.bsd.see_jail_proc` sysctl has received the following fixes and improvements: - Harden the `security.bsd.see_jail_proc` policy by preventing unauthorized users from attempting to kill, change priority of or debug processes with same (real) UID in a sub-jail at random, which, provided the PID of such a process is guessed correctly, would succeed even if these processes are not visible to them. - Make this policy overridable by MAC policies, as are the others. The policy controlled by `security.bsd.see_other_gids` was fixed to consider the real group of a process instead of its effective group when determining whether the user trying to access the process is a member of one of the process' groups. The rationale is that some user should continue to see processes it has launched even when they acquire further privileges by virtue of the setgid bit. Conversely, they should not see processes launched by a privileged user that temporarily enters the user's primary group. This new behavior is consistent with what `security.bsd.see_other_uids` has always been doing for user IDs (i.e., considering some process' real user ID and not the effective ID). We have updated manual pages related to these security policies, including man:security[7], man:sysctl[8], and man:ptrace[2]. Several manual pages of internal functions either implementing or leveraging these policies have also been revamped. ==== Status Thanks to the help of mailto:mhorne@FreeBSD.org[Mitchell Horne], mailto:pauamma@gundo.com[Pau Amma], mailto:bcr@FreeBSD.org[Benedict Reuschling] and mailto:emaste@FreeBSD.org[Ed Maste], most of the submitted changes have been reviewed and approved, so they should reach the tree soon. The patch series starts with https://reviews.freebsd.org/D40626[review D40626]. From there, click on the "Stack" tab to see the full list of reviews implementing the changes. As a later step, we are considering turning the `security.bsd.see_jail_proc` policy on by default (i.e., the default value of the sysctl would become 0) unless there are objections. Sponsor: Kumacom SAS (for development work) + Sponsor: The FreeBSD Foundation (for most of the reviews)