Date: Thu, 4 Jun 2020 18:17:26 +0000 (UTC) From: Kyle Evans <kevans@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r361799 - in head: lib/libc/sys sys/kern sys/sys Message-ID: <202006041817.054IHQeB084749@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kevans Date: Thu Jun 4 18:17:25 2020 New Revision: 361799 URL: https://svnweb.freebsd.org/changeset/base/361799 Log: vfs: add restrictions to read(2) of a directory [2/2] This commit adds the priv(9) that waters down the sysctl to make it only allow read(2) of a dirfd by the system root. Jailed root is not allowed, but jail policy and superuser policy will abstain from allowing/denying it so that a MAC module can fully control the policy. Such a MAC module has been written, and can be found at: https://people.freebsd.org/~kevans/mac_read_dir-0.1.0.tar.gz It is expected that the MAC module won't be needed by many, as most only need to do such diagnostics that require this behavior as system root anyways. Interested parties are welcome to grab the MAC module above and create a port or locally integrate it, and with enough support it could see introduction to base. As noted in mac_read_dir.c, it is released under the BSD 2 clause license and allows the restrictions to be lifted for only jailed root or for all unprivileged users. PR: 246412 Reviewed by: mckusick, kib, emaste, jilles, cy, phk, imp (all previous) Reviewed by: rgrimes (latest version) Differential Revision: https://reviews.freebsd.org/D24596 Modified: head/lib/libc/sys/read.2 head/sys/kern/kern_jail.c head/sys/kern/kern_priv.c head/sys/kern/vfs_vnops.c head/sys/sys/priv.h Modified: head/lib/libc/sys/read.2 ============================================================================== --- head/lib/libc/sys/read.2 Thu Jun 4 18:09:55 2020 (r361798) +++ head/lib/libc/sys/read.2 Thu Jun 4 18:17:25 2020 (r361799) @@ -200,7 +200,7 @@ The file was marked for non-blocking I/O, and no data were ready to be read. .It Bq Er EISDIR The file descriptor is associated with a directory. -Directories may only be read directly if the filesystem supports it and +Directories may only be read directly by root if the filesystem supports it and the .Dv security.bsd.allow_read_dir sysctl MIB is set to a non-zero value. Modified: head/sys/kern/kern_jail.c ============================================================================== --- head/sys/kern/kern_jail.c Thu Jun 4 18:09:55 2020 (r361798) +++ head/sys/kern/kern_jail.c Thu Jun 4 18:17:25 2020 (r361799) @@ -3324,6 +3324,14 @@ prison_priv_check(struct ucred *cred, int priv) return (EPERM); /* + * Jails should hold no disposition on the PRIV_VFS_READ_DIR + * policy. priv_check_cred will not specifically allow it, and + * we may want a MAC policy to allow it. + */ + case PRIV_VFS_READ_DIR: + return (0); + + /* * Conditionnaly allow locking (unlocking) physical pages * in memory. */ Modified: head/sys/kern/kern_priv.c ============================================================================== --- head/sys/kern/kern_priv.c Thu Jun 4 18:09:55 2020 (r361798) +++ head/sys/kern/kern_priv.c Thu Jun 4 18:17:25 2020 (r361799) @@ -194,6 +194,14 @@ priv_check_cred(struct ucred *cred, int priv) goto out; } break; + case PRIV_VFS_READ_DIR: + /* + * Allow PRIV_VFS_READ_DIR for root if we're not in a + * jail, otherwise deny unless a MAC policy grants it. + */ + if (jailed(cred)) + break; + /* FALLTHROUGH */ default: if (cred->cr_uid == 0) { error = 0; Modified: head/sys/kern/vfs_vnops.c ============================================================================== --- head/sys/kern/vfs_vnops.c Thu Jun 4 18:09:55 2020 (r361798) +++ head/sys/kern/vfs_vnops.c Thu Jun 4 18:17:25 2020 (r361799) @@ -1226,12 +1226,16 @@ vn_io_fault(struct file *fp, struct uio *uio, struct u * The ability to read(2) on a directory has historically been * allowed for all users, but this can and has been the source of * at least one security issue in the past. As such, it is now hidden - * away behind a sysctl for those that actually need it to use it. + * away behind a sysctl for those that actually need it to use it, and + * restricted to root when it's turned on to make it relatively safe to + * leave on for longer sessions of need. */ if (vp->v_type == VDIR) { KASSERT(uio->uio_rw == UIO_READ, ("illegal write attempted on a directory")); if (!vfs_allow_read_dir) + return (EISDIR); + if ((error = priv_check(td, PRIV_VFS_READ_DIR)) != 0) return (EISDIR); } Modified: head/sys/sys/priv.h ============================================================================== --- head/sys/sys/priv.h Thu Jun 4 18:09:55 2020 (r361798) +++ head/sys/sys/priv.h Thu Jun 4 18:17:25 2020 (r361799) @@ -283,6 +283,7 @@ #define PRIV_VFS_SYSFLAGS 342 /* Can modify system flags. */ #define PRIV_VFS_UNMOUNT 343 /* Can unmount(). */ #define PRIV_VFS_STAT 344 /* Override vnode MAC stat perm. */ +#define PRIV_VFS_READ_DIR 345 /* Can read(2) a dirfd, needs sysctl. */ /* * Virtual memory privileges.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202006041817.054IHQeB084749>