From owner-freebsd-security@FreeBSD.ORG  Sun Jun 23 14:58:03 2013
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: FreeBSD-Security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 53E63F0F
 for <FreeBSD-Security@freebsd.org>; Sun, 23 Jun 2013 14:58:03 +0000 (UTC)
 (envelope-from Thomas.Sparrevohn@btinternet.com)
Received: from nm6-vm4.bt.bullet.mail.ir2.yahoo.com
 (nm6-vm4.bt.bullet.mail.ir2.yahoo.com [212.82.99.205])
 by mx1.freebsd.org (Postfix) with ESMTP id A07C21F66
 for <FreeBSD-Security@freebsd.org>; Sun, 23 Jun 2013 14:57:59 +0000 (UTC)
Received: from [212.82.98.47] by nm6.bt.bullet.mail.ir2.yahoo.com with NNFMP;
 23 Jun 2013 14:50:45 -0000
Received: from [46.228.39.169] by tm8.bt.bullet.mail.ir2.yahoo.com with NNFMP;
 23 Jun 2013 14:50:45 -0000
Received: from [127.0.0.1] by smtp110.bt.mail.ir2.yahoo.com with NNFMP;
 23 Jun 2013 14:50:45 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=s1024;
 t=1371999045; bh=Vcuk6TIcd5PljpBkfuErpb1/6z5dId2aR2UOb1906f0=;
 h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:From:To:Subject:Date:Message-ID:User-Agent:MIME-Version:Content-Transfer-Encoding:Content-Type;
 b=fTncQaL9Ppky+YEBw45DZAuE1bLJdE/YRiLjD3V9vvp3ArcOOvrN2ipm/YyvcnHqFrpYVLh+TlQLtXaDYV/YZ84fID0HB6Cra0SQIU5aB+V7tGCfRgO7PjIIZkg1Ise6k0ANTdcNO3HUv/OlprRBToy8Qb0Zl4i4rB4fIqocFXk=
X-Yahoo-Newman-Id: 828988.24093.bm@smtp110.bt.mail.ir2.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: UkjDszkVM1l7ku8C.Ns_upeZJKD09yp0PyjT9LijPK8L4I6
 zbNmk57V_H8wSo4DJzHrOsQ1zj_w_7d.O.sEqViIOIAmFMVIcDeNi2wNbAFG
 Y4KJ2Qr8F1ooSMPMgtZx6My7dIED_Qsd86AIQyAn_hezAuaYxMojKHws1tt3
 sJG2krsoxxeTUI83KuWH.KdJ6mAUFNg_7V0yxOb2.H1wAAHr8vw2dpnoSVSK
 uqJDpNYHeJB3jcKSZUooZx1kU.kvUNEnqoFtm3nsULGC.tZm9hiwgzSoVdiw
 6ju0SDAo5xtda7AEaZ0B_yTLKftS._WT_DidBDhKQQ3h7NuRiEipIAJBmrQ9
 l7TcElihqt.TICoRV30TXNE8n8F.UqceY1KctCyy_PX9uYdp0ZnrBfq4GLih
 .TW7Dkf7Rd7vMwL_ruLJbMxRdOPzOf_4WS5lhwD5cKq3DnoUEBBDualCIg7A
 48QIYrIpjG2yxYxjCgPQ2m7ml8_dkJYUUn2vXjmKaGXoT_uatbmjiKBo-
X-Yahoo-SMTP: IZRlAYqswBDptUXTX.cYc1l2h3YNYE0xlrpi4wWl.OMHg4FYv7uDnfZx6kQf
X-Rocket-Received: from thomas-freebsd.aah-go-on.com
 (Thomas.Sparrevohn@86.158.245.187 with plain)
 by smtp110.bt.mail.ir2.yahoo.com with SMTP; 23 Jun 2013 14:50:45 +0000 UTC
From: Thomas Sparrevohn <Thomas.Sparrevohn@btinternet.com>
To: FreeBSD-Security@freebsd.org, phk@freebsd.org
Subject: POSIX mqueuefs not jail aware
Date: Sun, 23 Jun 2013 15:50:37 +0100
Message-ID: <19904027.kRPR4YHN3x@thomas-freebsd.aah-go-on.com>
User-Agent: KMail/4.10.3 (FreeBSD/10.0-CURRENT; KDE/4.10.3; amd64; ; )
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Jun 2013 14:58:03 -0000


Hi 

I have been working on some different projects that eventually will need a 
shared queue structure and have been playing with mq_open et al. 

For various reasons I was looking into being able to communicate between
the host and a jail using a global queue. Not that works fine using mqueuefs - 
the down side is that any root or matching uid can delete the queue on the 
host system.

Transscript - First the host

	root@Thomas-FreeBSD:/home/sparrevo # ~sparrevo/mqueue
	Testing creation of Queue /Talk
        Making sure it does not exist deleted
	/Talk Created
	 message posted 


Now the jail - please note this jail runs securelevel 2 - not that I would 
think it would matter here

	root@Thomas-FreeBSD:/home/sparrevo # jail -c amd64-schg
	amd64-schg: created
	root@Thomas-FreeBSD:/home/sparrevo # ssh sparrevo@192.168.0.203
	Password for sparrevo@amd64-schg.aah-go-on.com:
	Warning: untrusted X11 forwarding setup failed: xauth key data not 	
generated
	Warning: No xauth data; using fake authentication data for X11 	
forwarding.
	X11 forwarding request failed on channel 0
	Last login: Sat Jun 15 16:48:07 2013 from 192.168.0.203
	FreeBSD 10.0-CURRENT (PRODUCTION) #1 r252040: Sat Jun 22 01:20:14 BST 
2013

	Welcome to FreeBSD!

	sparrevo@amd64-schg:~ % ./mqueue                                                
	Testing creation of Queue /Talk                                                 
        Making sure it does not exist - it exist and we cannot delete it due 
permissions                                                                        
	Queue /Talk cannot be created                                                   
	hu:: File exists                                                                
	sparrevo@amd64-schg:~ % su                                                      
	Password:                                                                       
	root@amd64-schg:/home/sparrevo # ./mqueue                                       
	Testing creation of Queue /Talk                                                 
        Making sure it does not exist deleted                                   
	/Talk Created                                                                   
 	message posted                                                                 
	root@amd64-schg:/home/sparrevo # 

Looking at the code it seems like we are missing a couple of allow.xxx 
features. I have not yet had time to check thw shm code to see how it prevents 
it