doc/share/security/patches/SA-04:03/jail.patch

Index: src/sys/kern/kern_jail.c
diff -c src/sys/kern/kern_jail.c:1.34 src/sys/kern/kern_jail.c:1.34.2.1
*** sys/kern/kern_jail.c:1.34	Tue Jun 10 19:56:55 2003
--- sys/kern/kern_jail.c	Thu Feb 19 17:26:39 2004
***************
*** 179,186 ****
  	struct prison *pr;
  	int error;
  	
! 	p = td->td_proc;
  
  	mtx_lock(&allprison_mtx);
  	pr = prison_find(uap->jid);
  	if (pr == NULL) {
--- 179,197 ----
  	struct prison *pr;
  	int error;
  	
! 	/*
! 	 * XXX: Note that there is a slight race here if two threads
! 	 * in the same privileged process attempt to attach to two
! 	 * different jails at the same time.  It is important for
! 	 * user processes not to do this, or they might end up with
! 	 * a process root from one prison, but attached to the jail
! 	 * of another.
! 	 */
! 	error = suser(td);
! 	if (error)
! 		return (error);
  
+ 	p = td->td_proc;
  	mtx_lock(&allprison_mtx);
  	pr = prison_find(uap->jid);
  	if (pr == NULL) {
***************
*** 191,199 ****
  	mtx_unlock(&pr->pr_mtx);
  	mtx_unlock(&allprison_mtx);
  
- 	error = suser_cred(td->td_ucred, PRISON_ROOT);
- 	if (error)
- 		goto e_dropref;
  	mtx_lock(&Giant);
  	vn_lock(pr->pr_root, LK_EXCLUSIVE | LK_RETRY, td);
  	if ((error = change_dir(pr->pr_root, td)) != 0)
--- 202,207 ----
***************
*** 208,220 ****
  
  	newcred = crget();
  	PROC_LOCK(p);
- 	/* Implicitly fail if already in jail.  */
- 	error = suser_cred(p->p_ucred, 0);
- 	if (error) {
- 		PROC_UNLOCK(p);
- 		crfree(newcred);
- 		goto e_dropref;
- 	}
  	oldcred = p->p_ucred;
  	setsugid(p);
  	crcopy(newcred, oldcred);
--- 216,221 ----
***************
*** 226,232 ****
  e_unlock:
  	VOP_UNLOCK(pr->pr_root, 0, td);
  	mtx_unlock(&Giant);
- e_dropref:
  	mtx_lock(&pr->pr_mtx);
  	pr->pr_ref--;
  	mtx_unlock(&pr->pr_mtx);
--- 227,232 ----