FreeBSD Bugzilla – Attachment 173424 Details for
Bug 211580
deny system message buffer access from jails
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch to allow per-jail msgbuf access
20160808-jail-msgbuf.diff (text/plain), 4.86 KB, created by
Bjoern A. Zeeb
on 2016-08-08 21:44:57 UTC
(
hide
)
Description:
Patch to allow per-jail msgbuf access
Filename:
MIME Type:
Creator:
Bjoern A. Zeeb
Created:
2016-08-08 21:44:57 UTC
Size:
4.86 KB
patch
obsolete
>Index: usr.sbin/jail/config.c >=================================================================== >--- usr.sbin/jail/config.c (revision 302298) >+++ usr.sbin/jail/config.c (working copy) >@@ -117,6 +117,7 @@ static const struct ipspec intparams[] = { > [KP_PERSIST] = {"persist", 0}, > [KP_SECURELEVEL] = {"securelevel", 0}, > [KP_VNET] = {"vnet", 0}, >+ [KP_ALLOW_READ_MSGBUF] = {"allow.read_msgbuf", 0}, > }; > > /* >Index: usr.sbin/jail/jailp.h >=================================================================== >--- usr.sbin/jail/jailp.h (revision 302298) >+++ usr.sbin/jail/jailp.h (working copy) >@@ -130,7 +130,8 @@ enum intparam { > KP_PERSIST, > KP_SECURELEVEL, > KP_VNET, >- IP_NPARAM >+ IP_NPARAM, >+ KP_ALLOW_READ_MSGBUF > }; > > STAILQ_HEAD(cfvars, cfvar); >Index: sys/kern/kern_jail.c >=================================================================== >--- sys/kern/kern_jail.c (revision 302298) >+++ sys/kern/kern_jail.c (working copy) >@@ -207,6 +207,7 @@ static char *pr_allow_names[] = { > "allow.mount.fdescfs", > "allow.mount.linprocfs", > "allow.mount.linsysfs", >+ "allow.read_msgbuf", > }; > const size_t pr_allow_names_size = sizeof(pr_allow_names); > >@@ -226,6 +227,7 @@ static char *pr_allow_nonames[] = { > "allow.mount.nofdescfs", > "allow.mount.nolinprocfs", > "allow.mount.nolinsysfs", >+ "allow.noread_msgbuf", > }; > const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); > >@@ -3889,7 +3891,18 @@ prison_priv_check(struct ucred *cred, int priv) > * Allow ktrace privileges for root in jail. > */ > case PRIV_KTRACE: >+ return (0); > >+ /* >+ * Do not allow a process inside a jail read the kernel >+ * message buffer unless explicitly permitted. >+ */ >+ case PRIV_MSGBUF: >+ if (cred->cr_prison->pr_allow & PR_ALLOW_READ_MSGBUF) >+ return (0); >+ else >+ return (EPERM); >+ > #if 0 > /* > * Allow jailed processes to configure audit identity and >@@ -4518,6 +4531,8 @@ SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CT > "B", "Jail may set file quotas"); > SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, > "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); >+SYSCTL_JAIL_PARAM(_allow, read_msgbuf, CTLTYPE_INT | CTLFLAG_RW, >+ "B", "Jail may read the kernel message buffer"); > > SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); > SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, >Index: sys/kern/kern_priv.c >=================================================================== >--- sys/kern/kern_priv.c (revision 302298) >+++ sys/kern/kern_priv.c (working copy) >@@ -60,6 +60,12 @@ static int unprivileged_mlock = 1; > SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_mlock, CTLFLAG_RWTUN, > &unprivileged_mlock, 0, "Allow non-root users to call mlock(2)"); > >+static int unprivileged_read_msgbuf = 1; >+SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_read_msgbuf, >+ CTLFLAG_RW, &unprivileged_read_msgbuf, 0, >+ "Unprivileged processes may read the kernel message buffer"); >+ >+ > SDT_PROVIDER_DEFINE(priv); > SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv__ok, "int"); > SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv__err, "int"); >@@ -107,6 +113,17 @@ priv_check_cred(struct ucred *cred, int priv, int > } > } > >+ if (unprivileged_read_msgbuf) { >+ /* >+ * Allow an unprivileged user to read the kernel message >+ * buffer. >+ */ >+ if (priv == PRIV_MSGBUF) { >+ error = 0; >+ goto out; >+ } >+ } >+ > /* > * Having determined if privilege is restricted by various policies, > * now determine if privilege is granted. At this point, any policy >Index: sys/kern/subr_prf.c >=================================================================== >--- sys/kern/subr_prf.c (revision 302298) >+++ sys/kern/subr_prf.c (working copy) >@@ -1004,11 +1004,6 @@ msgbufinit(void *ptr, int size) > oldp = msgbufp; > } > >-static int unprivileged_read_msgbuf = 1; >-SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_read_msgbuf, >- CTLFLAG_RW, &unprivileged_read_msgbuf, 0, >- "Unprivileged processes may read the kernel message buffer"); >- > /* Sysctls for accessing/clearing the msgbuf */ > static int > sysctl_kern_msgbuf(SYSCTL_HANDLER_ARGS) >@@ -1017,11 +1012,9 @@ sysctl_kern_msgbuf(SYSCTL_HANDLER_ARGS) > u_int seq; > int error, len; > >- if (!unprivileged_read_msgbuf) { >- error = priv_check(req->td, PRIV_MSGBUF); >- if (error) >- return (error); >- } >+ error = priv_check(req->td, PRIV_MSGBUF); >+ if (error) >+ return (error); > > /* Read the whole buffer, one chunk at a time. */ > mtx_lock(&msgbuf_lock); >Index: sys/sys/jail.h >=================================================================== >--- sys/sys/jail.h (revision 302298) >+++ sys/sys/jail.h (working copy) >@@ -230,7 +230,8 @@ struct prison_racct { > #define PR_ALLOW_MOUNT_FDESCFS 0x1000 > #define PR_ALLOW_MOUNT_LINPROCFS 0x2000 > #define PR_ALLOW_MOUNT_LINSYSFS 0x4000 >-#define PR_ALLOW_ALL 0x7fff >+#define PR_ALLOW_READ_MSGBUF 0x8000 >+#define PR_ALLOW_ALL 0xffff > > /* > * OSD methods
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 211580
:
173424
|
198114