Attachment #173424 for bug #211580

Lines 117-122 static const struct ipspec intparams[] = { Link Here

(-)usr.sbin/jail/config.c (+1 lines)
117	[KP_PERSIST] = {"persist", 0},	117	[KP_PERSIST] = {"persist", 0},
118	[KP_SECURELEVEL] = {"securelevel", 0},	118	[KP_SECURELEVEL] = {"securelevel", 0},
119	[KP_VNET] = {"vnet", 0},	119	[KP_VNET] = {"vnet", 0},
		120	[KP_ALLOW_READ_MSGBUF] = {"allow.read_msgbuf", 0},
120	};	121	};
121		122
122	/*	123	/*

Lines 130-136 enum intparam { Link Here

(-)usr.sbin/jail/jailp.h (-1 / +2 lines)
130	KP_PERSIST,	130	KP_PERSIST,
131	KP_SECURELEVEL,	131	KP_SECURELEVEL,
132	KP_VNET,	132	KP_VNET,
133	IP_NPARAM	133	IP_NPARAM,
		134	KP_ALLOW_READ_MSGBUF
134	};	135	};
135		136
136	STAILQ_HEAD(cfvars, cfvar);	137	STAILQ_HEAD(cfvars, cfvar);




	"allow.mount.fdescfs",
	"allow.mount.linprocfs",
	"allow.mount.linsysfs",
	"allow.read_msgbuf",
};
const size_t pr_allow_names_size = sizeof(pr_allow_names);


	"allow.mount.nofdescfs",
	"allow.mount.nolinprocfs",
	"allow.mount.nolinsysfs",
	"allow.noread_msgbuf",
};
const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);


		 * Allow ktrace privileges for root in jail.
		 */
	case PRIV_KTRACE:
		return (0);

		/*
		 * Do not allow a process inside a jail read the kernel
		 * message buffer unless explicitly permitted.
		 */
	case PRIV_MSGBUF:
		if (cred->cr_prison->pr_allow & PR_ALLOW_READ_MSGBUF)
			return (0);
		else
			return (EPERM);

#if 0
		/*
		 * Allow jailed processes to configure audit identity and

    "B", "Jail may set file quotas");
SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW,
    "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route");
SYSCTL_JAIL_PARAM(_allow, read_msgbuf, CTLTYPE_INT | CTLFLAG_RW,
    "B", "Jail may read the kernel message buffer");

SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,

Lines 60-65 static int unprivileged_mlock = 1; Link Here

(-)sys/kern/kern_priv.c (+17 lines)
60	SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_mlock, CTLFLAG_RWTUN,	60	SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_mlock, CTLFLAG_RWTUN,
61	&unprivileged_mlock, 0, "Allow non-root users to call mlock(2)");	61	&unprivileged_mlock, 0, "Allow non-root users to call mlock(2)");
62		62
		63	static int unprivileged_read_msgbuf = 1;
		64	SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_read_msgbuf,
		65	CTLFLAG_RW, &unprivileged_read_msgbuf, 0,
		66	"Unprivileged processes may read the kernel message buffer");
		67
		68
63	SDT_PROVIDER_DEFINE(priv);	69	SDT_PROVIDER_DEFINE(priv);
64	SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv__ok, "int");	70	SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv__ok, "int");
65	SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv__err, "int");	71	SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv__err, "int");
Lines 107-112 priv_check_cred(struct ucred *cred, int priv, int Link Here
107	}	113	}
108	}	114	}
109		115
		116	if (unprivileged_read_msgbuf) {
		117	/*
		118	* Allow an unprivileged user to read the kernel message
		119	* buffer.
		120	*/
		121	if (priv == PRIV_MSGBUF) {
		122	error = 0;
		123	goto out;
		124	}
		125	}
		126
110	/*	127	/*
111	* Having determined if privilege is restricted by various policies,	128	* Having determined if privilege is restricted by various policies,
112	* now determine if privilege is granted. At this point, any policy	129	* now determine if privilege is granted. At this point, any policy




	oldp = msgbufp;
}

static int unprivileged_read_msgbuf = 1;
SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_read_msgbuf,
    CTLFLAG_RW, &unprivileged_read_msgbuf, 0,
    "Unprivileged processes may read the kernel message buffer");

/* Sysctls for accessing/clearing the msgbuf */
static int
sysctl_kern_msgbuf(SYSCTL_HANDLER_ARGS)

	u_int seq;
	int error, len;

	error = priv_check(req->td, PRIV_MSGBUF);
	if (error)
		return (error);
			return (error);
	}

	/* Read the whole buffer, one chunk at a time. */
	mtx_lock(&msgbuf_lock);

Lines 230-236 struct prison_racct { Link Here

(-)sys/sys/jail.h (-1 / +2 lines)
230	#define PR_ALLOW_MOUNT_FDESCFS 0x1000	230	#define PR_ALLOW_MOUNT_FDESCFS 0x1000
231	#define PR_ALLOW_MOUNT_LINPROCFS 0x2000	231	#define PR_ALLOW_MOUNT_LINPROCFS 0x2000
232	#define PR_ALLOW_MOUNT_LINSYSFS 0x4000	232	#define PR_ALLOW_MOUNT_LINSYSFS 0x4000
233	#define PR_ALLOW_ALL 0x7fff	233	#define PR_ALLOW_READ_MSGBUF 0x8000
		234	#define PR_ALLOW_ALL 0xffff
234		235
235	/*	236	/*
236	* OSD methods	237	* OSD methods

Return to bug 211580

Lines 1004-1014 msgbufinit(void *ptr, int size) Link Here

(-)sys/kern/subr_prf.c (-10 / +3 lines)
1004	oldp = msgbufp;	1004	oldp = msgbufp;
1005	}	1005	}
1006		1006
1007	static int unprivileged_read_msgbuf = 1;
1008	SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_read_msgbuf,
1009	CTLFLAG_RW, &unprivileged_read_msgbuf, 0,
1010	"Unprivileged processes may read the kernel message buffer");
1011
1012	/* Sysctls for accessing/clearing the msgbuf */	1007	/* Sysctls for accessing/clearing the msgbuf */
1013	static int	1008	static int
1014	sysctl_kern_msgbuf(SYSCTL_HANDLER_ARGS)	1009	sysctl_kern_msgbuf(SYSCTL_HANDLER_ARGS)
Lines 1017-1027 sysctl_kern_msgbuf(SYSCTL_HANDLER_ARGS) Link Here
1017	u_int seq;	1012	u_int seq;
1018	int error, len;	1013	int error, len;
1019		1014
1020	if (!unprivileged_read_msgbuf) {	1015	error = priv_check(req->td, PRIV_MSGBUF);
1021	error = priv_check(req->td, PRIV_MSGBUF);	1016	if (error)
1022	if (error)	1017	return (error);
1023	return (error);
1024	}
1025		1018
1026	/* Read the whole buffer, one chunk at a time. */	1019	/* Read the whole buffer, one chunk at a time. */
1027	mtx_lock(&msgbuf_lock);	1020	mtx_lock(&msgbuf_lock);

Lines 207-212 static char *pr_allow_names[] = { Link Here

(-)sys/kern/kern_jail.c (+15 lines)
207	"allow.mount.fdescfs",	207	"allow.mount.fdescfs",
208	"allow.mount.linprocfs",	208	"allow.mount.linprocfs",
209	"allow.mount.linsysfs",	209	"allow.mount.linsysfs",
		210	"allow.read_msgbuf",
210	};	211	};
211	const size_t pr_allow_names_size = sizeof(pr_allow_names);	212	const size_t pr_allow_names_size = sizeof(pr_allow_names);
212		213
Lines 226-231 static char *pr_allow_nonames[] = { Link Here
226	"allow.mount.nofdescfs",	227	"allow.mount.nofdescfs",
227	"allow.mount.nolinprocfs",	228	"allow.mount.nolinprocfs",
228	"allow.mount.nolinsysfs",	229	"allow.mount.nolinsysfs",
		230	"allow.noread_msgbuf",
229	};	231	};
230	const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);	232	const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
231		233
Lines 3889-3895 prison_priv_check(struct ucred *cred, int priv) Link Here
3889	* Allow ktrace privileges for root in jail.	3891	* Allow ktrace privileges for root in jail.
3890	*/	3892	*/
3891	case PRIV_KTRACE:	3893	case PRIV_KTRACE:
		3894	return (0);
3892		3895
		3896	/*
		3897	* Do not allow a process inside a jail read the kernel
		3898	* message buffer unless explicitly permitted.
		3899	*/
		3900	case PRIV_MSGBUF:
		3901	if (cred->cr_prison->pr_allow & PR_ALLOW_READ_MSGBUF)
		3902	return (0);
		3903	else
		3904	return (EPERM);
		3905
3893	#if 0	3906	#if 0
3894	/*	3907	/*
3895	* Allow jailed processes to configure audit identity and	3908	* Allow jailed processes to configure audit identity and
Lines 4518-4523 SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT \| CT Link Here
4518	"B", "Jail may set file quotas");	4531	"B", "Jail may set file quotas");
4519	SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT \| CTLFLAG_RW,	4532	SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT \| CTLFLAG_RW,
4520	"B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route");	4533	"B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route");
		4534	SYSCTL_JAIL_PARAM(_allow, read_msgbuf, CTLTYPE_INT \| CTLFLAG_RW,
		4535	"B", "Jail may read the kernel message buffer");
4521		4536
4522	SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");	4537	SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
4523	SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT \| CTLFLAG_RW,	4538	SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT \| CTLFLAG_RW,