From owner-freebsd-arch@freebsd.org Fri May 15 13:14:52 2020 Return-Path: Delivered-To: freebsd-arch@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D81962F5480; Fri, 15 May 2020 13:14:52 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49NpmD5RdXz3KZL; Fri, 15 May 2020 13:14:52 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from mail-qt1-f169.google.com (mail-qt1-f169.google.com [209.85.160.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) (Authenticated sender: kevans) by smtp.freebsd.org (Postfix) with ESMTPSA id ACD331A7DC; Fri, 15 May 2020 13:14:52 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: by mail-qt1-f169.google.com with SMTP id v4so1874383qte.3; Fri, 15 May 2020 06:14:52 -0700 (PDT) X-Gm-Message-State: AOAM531OB48/vUcUNo2SmbhZ4uPiuWbkyCaMJc/3fzpAzvOLQxaW4RXY PU3dIHHk6MjLsIx4s6Ydt6j0AtlDnzphGbWs4RA= X-Google-Smtp-Source: ABdhPJxIaPHlcjrzuRWHQGtahZPlCxiqJV30sYCkl/zlY3HM2OwIuz0tWonr8K+g7cmepdHrf3OPdhRH/z5Rz+Z/qQM= X-Received: by 2002:ac8:2fb9:: with SMTP id l54mr1797432qta.211.1589548492143; Fri, 15 May 2020 06:14:52 -0700 (PDT) MIME-Version: 1.0 References: <202005142017.04EKH0aA093503@fire.js.berklix.net> <33549.1589488226@critter.freebsd.dk> <35501.1589529102@critter.freebsd.dk> In-Reply-To: <35501.1589529102@critter.freebsd.dk> From: Kyle Evans Date: Fri, 15 May 2020 08:14:38 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [HEADSUP] Disallowing read() of a directory fd To: Poul-Henning Kamp Cc: Alan Somers , "Julian H. Stacey" , "freebsd-arch@freebsd.org" , "freebsd-hackers@freebsd.org" Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 May 2020 13:14:52 -0000 On Fri, May 15, 2020 at 2:51 AM Poul-Henning Kamp wrote: > > -------- > In message > , Kyle Evans writes: > >On Thu, May 14, 2020 at 3:30 PM Poul-Henning Kamp wrote: > > >Can we explore the possibility of using fsdb(8) to fulfill these needs > >in a way that you'd be comfortable with? >> > Summary: I'm perfectly fine with read(2) returning error on a > directory *under normal circumstances*, and I think it makes good > sense by protecting a lot of terminals from a lot of binary > garbage. > > But there is absolutely no reason to make it *impossible* for > a competent root to do what competent roots do. > First, apologies if my previous message had offended you -- I didn't mean for this, but as you can tell I was not well-equipped to discuss the possibilities with a seasoned veteran such as yourself. I've prepared a patch locally to update the review that both hides it off behind security.bsd.allow_read_dir (default off) and restricts it to a new PRIV_VFS_READ_DIR that *is not* granted to jailed root. I know we've already discussed this to some extent, but can you confirm that these restrictions are reasonable and acceptable for you? I've tentatively placed it in the security.bsd.* namespace because it can and has had security implications, but I'm certainly not dead-set on it staying there. Thanks, Kyle Evans