FreeBSD implements three built-in security policies that limit which processes are visible to particular users, with the goal of preventing information leaks and unwanted interactions.

The first one can prevent an unprivileged user from seeing or interacting with processes that do not have the user’s UID as their real UID. It can be activated by setting the sysctl security.bsd.see_other_uids to 0 (default is 1).

The second one can prevent an unprivileged user from seeing or interacting with processes whose credentials do not have any group that the user is a member of. It can be activated by setting the sysctl security.bsd.see_other_gids to 0 (default is 1).

The third one can prevent an unprivileged user’s process from seeing or interacting with processes that are in a jail that is a strict sub-jail of the former. The jail subsystem already prevents such a process to see processes in jails that are not descendant of its own (see jail(8) and in particular the section "Hierarchical Jails"). One possible use of this policy is, in conjunction with the first one above, to hide processes in sub-jails that have the same real UID as some user in an ancestor jail, because users having identical UIDs in these different jails are logically considered as different users. It can be activated by setting the sysctl security.bsd.see_jail_proc to 0 (default is 1).

After a review of these policies' code and real world testing, we noticed a number of problems and limitations which prompted us to work on this topic.

The policy controlled by the security.bsd.see_jail_proc sysctl has received the following fixes and improvements:

The policy controlled by security.bsd.see_other_gids was fixed to consider the real group of a process instead of its effective group when determining whether the user trying to access the process is a member of one of the process' groups. The rationale is that some user should continue to see processes it has launched even when they acquire further privileges by virtue of the setgid bit. Conversely, they should not see processes launched by a privileged user that temporarily enters the user’s primary group. This new behavior is consistent with what security.bsd.see_other_uids has always been doing for user IDs (i.e., considering some process' real user ID and not the effective ID).

We have updated manual pages related to these security policies, including security(7), sysctl(8), and ptrace(2). Several manual pages of internal functions either implementing or leveraging these policies have also been revamped.

Thanks to the help of Mitchell Horne, Pau Amma, Benedict Reuschling and Ed Maste, most of the submitted changes have been reviewed and approved, so they should reach the tree soon. The patch series starts with review D40626. From there, click on the "Stack" tab to see the full list of reviews implementing the changes.

As a later step, we are considering turning the security.bsd.see_jail_proc policy on by default (i.e., the default value of the sysctl would become 0) unless there are objections.

Sponsor: Kumacom SAS (for development work)
Sponsor: The FreeBSD Foundation (for most of the reviews)