FreeBSD Bugzilla – Attachment 198114 Details for
Bug 211580
deny system message buffer access from jails
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Current revision of allow.read_msgbuf patch
dmesg.diff (text/plain), 4.81 KB, created by
Jamie Gritton
on 2018-10-14 05:56:00 UTC
(
hide
)
Description:
Current revision of allow.read_msgbuf patch
Filename:
MIME Type:
Creator:
Jamie Gritton
Created:
2018-10-14 05:56:00 UTC
Size:
4.81 KB
patch
obsolete
>Index: sys/kern/kern_jail.c >=================================================================== >--- sys/kern/kern_jail.c (revision 339350) >+++ sys/kern/kern_jail.c (working copy) >@@ -193,6 +193,7 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW > {"allow.mlock", "allow.nomlock", PR_ALLOW_MLOCK}, > {"allow.reserved_ports", "allow.noreserved_ports", > PR_ALLOW_RESERVED_PORTS}, >+ {"allow.read_msgbuf", "allow.noread_msgbuf", PR_ALLOW_READ_MSGBUF}, > }; > const size_t pr_flag_allow_size = sizeof(pr_flag_allow); > >@@ -3350,6 +3351,16 @@ prison_priv_check(struct ucred *cred, int priv) > case PRIV_PROC_SETLOGINCLASS: > return (0); > >+ /* >+ * Do not allow a process inside a jail read the kernel >+ * message buffer unless explicitly permitted. >+ */ >+ case PRIV_MSGBUF: >+ if (cred->cr_prison->pr_allow & PR_ALLOW_READ_MSGBUF) >+ return (0); >+ else >+ return (EPERM); >+ > default: > /* > * In all remaining cases, deny the privilege request. This >@@ -3770,6 +3781,8 @@ SYSCTL_JAIL_PARAM(_allow, mlock, CTLTYPE_INT | CTL > "B", "Jail may lock (unlock) physical pages in memory"); > SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW, > "B", "Jail may bind sockets to reserved ports"); >+SYSCTL_JAIL_PARAM(_allow, read_msgbuf, CTLTYPE_INT | CTLFLAG_RW, >+ "B", "Jail may read the kernel message buffer"); > > SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); > SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, >Index: sys/kern/kern_priv.c >=================================================================== >--- sys/kern/kern_priv.c (revision 339350) >+++ sys/kern/kern_priv.c (working copy) >@@ -62,6 +62,11 @@ static int unprivileged_mlock = 1; > SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_mlock, CTLFLAG_RWTUN, > &unprivileged_mlock, 0, "Allow non-root users to call mlock(2)"); > >+static int unprivileged_read_msgbuf = 1; >+SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_read_msgbuf, >+ CTLFLAG_RW, &unprivileged_read_msgbuf, 0, >+ "Unprivileged processes may read the kernel message buffer"); >+ > SDT_PROVIDER_DEFINE(priv); > SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv__ok, "int"); > SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv__err, "int"); >@@ -109,6 +114,17 @@ priv_check_cred(struct ucred *cred, int priv, int > } > } > >+ if (unprivileged_read_msgbuf) { >+ /* >+ * Allow an unprivileged user to read the kernel message >+ * buffer. >+ */ >+ if (priv == PRIV_MSGBUF) { >+ error = 0; >+ goto out; >+ } >+ } >+ > /* > * Having determined if privilege is restricted by various policies, > * now determine if privilege is granted. At this point, any policy >Index: sys/kern/subr_prf.c >=================================================================== >--- sys/kern/subr_prf.c (revision 339350) >+++ sys/kern/subr_prf.c (working copy) >@@ -1053,11 +1053,6 @@ msgbufinit(void *ptr, int size) > oldp = msgbufp; > } > >-static int unprivileged_read_msgbuf = 1; >-SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_read_msgbuf, >- CTLFLAG_RW, &unprivileged_read_msgbuf, 0, >- "Unprivileged processes may read the kernel message buffer"); >- > /* Sysctls for accessing/clearing the msgbuf */ > static int > sysctl_kern_msgbuf(SYSCTL_HANDLER_ARGS) >@@ -1066,11 +1061,9 @@ sysctl_kern_msgbuf(SYSCTL_HANDLER_ARGS) > u_int seq; > int error, len; > >- if (!unprivileged_read_msgbuf) { >- error = priv_check(req->td, PRIV_MSGBUF); >- if (error) >- return (error); >- } >+ error = priv_check(req->td, PRIV_MSGBUF); >+ if (error) >+ return (error); > > /* Read the whole buffer, one chunk at a time. */ > mtx_lock(&msgbuf_lock); >Index: sys/sys/jail.h >=================================================================== >--- sys/sys/jail.h (revision 339350) >+++ sys/sys/jail.h (working copy) >@@ -228,9 +228,10 @@ struct prison_racct { > #define PR_ALLOW_QUOTAS 0x00000020 > #define PR_ALLOW_SOCKET_AF 0x00000040 > #define PR_ALLOW_MLOCK 0x00000080 >+#define PR_ALLOW_READ_MSGBUF 0x00000100 > #define PR_ALLOW_RESERVED_PORTS 0x00008000 > #define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */ >-#define PR_ALLOW_ALL_STATIC 0x000180ff >+#define PR_ALLOW_ALL_STATIC 0x000181ff > > /* > * OSD methods >Index: usr.sbin/jail/jail.8 >=================================================================== >--- usr.sbin/jail/jail.8 (revision 339350) >+++ usr.sbin/jail/jail.8 (working copy) >@@ -549,6 +549,11 @@ option. > The jail root may administer quotas on the jail's filesystem(s). > This includes filesystems that the jail may share with other jails or > with non-jailed parts of the system. >+.It Va allow.read_msgbuf >+Jailed users may read the kernel message buffer. >+If the >+.Va security.bsd.unprivileged_read_msgbuf >+MIB entry is zero, this will be restricted to to root user. > .It Va allow.socket_af > Sockets within a jail are normally restricted to IPv4, IPv6, local > (UNIX), and route. This allows access to other protocol stacks that
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=198114">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 211580
:
173424
| 198114