From owner-svn-src-head@freebsd.org Thu Jun 4 18:17:27 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 52B2432BF43; Thu, 4 Jun 2020 18:17:27 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49dDX71Fc7z4SwX; Thu, 4 Jun 2020 18:17:27 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 258F123D02; Thu, 4 Jun 2020 18:17:27 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 054IHQ29084754; Thu, 4 Jun 2020 18:17:26 GMT (envelope-from kevans@FreeBSD.org) Received: (from kevans@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 054IHQeB084749; Thu, 4 Jun 2020 18:17:26 GMT (envelope-from kevans@FreeBSD.org) Message-Id: <202006041817.054IHQeB084749@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kevans set sender to kevans@FreeBSD.org using -f From: Kyle Evans Date: Thu, 4 Jun 2020 18:17:26 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r361799 - in head: lib/libc/sys sys/kern sys/sys X-SVN-Group: head X-SVN-Commit-Author: kevans X-SVN-Commit-Paths: in head: lib/libc/sys sys/kern sys/sys X-SVN-Commit-Revision: 361799 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jun 2020 18:17:27 -0000 Author: kevans Date: Thu Jun 4 18:17:25 2020 New Revision: 361799 URL: https://svnweb.freebsd.org/changeset/base/361799 Log: vfs: add restrictions to read(2) of a directory [2/2] This commit adds the priv(9) that waters down the sysctl to make it only allow read(2) of a dirfd by the system root. Jailed root is not allowed, but jail policy and superuser policy will abstain from allowing/denying it so that a MAC module can fully control the policy. Such a MAC module has been written, and can be found at: https://people.freebsd.org/~kevans/mac_read_dir-0.1.0.tar.gz It is expected that the MAC module won't be needed by many, as most only need to do such diagnostics that require this behavior as system root anyways. Interested parties are welcome to grab the MAC module above and create a port or locally integrate it, and with enough support it could see introduction to base. As noted in mac_read_dir.c, it is released under the BSD 2 clause license and allows the restrictions to be lifted for only jailed root or for all unprivileged users. PR: 246412 Reviewed by: mckusick, kib, emaste, jilles, cy, phk, imp (all previous) Reviewed by: rgrimes (latest version) Differential Revision: https://reviews.freebsd.org/D24596 Modified: head/lib/libc/sys/read.2 head/sys/kern/kern_jail.c head/sys/kern/kern_priv.c head/sys/kern/vfs_vnops.c head/sys/sys/priv.h Modified: head/lib/libc/sys/read.2 ============================================================================== --- head/lib/libc/sys/read.2 Thu Jun 4 18:09:55 2020 (r361798) +++ head/lib/libc/sys/read.2 Thu Jun 4 18:17:25 2020 (r361799) @@ -200,7 +200,7 @@ The file was marked for non-blocking I/O, and no data were ready to be read. .It Bq Er EISDIR The file descriptor is associated with a directory. -Directories may only be read directly if the filesystem supports it and +Directories may only be read directly by root if the filesystem supports it and the .Dv security.bsd.allow_read_dir sysctl MIB is set to a non-zero value. Modified: head/sys/kern/kern_jail.c ============================================================================== --- head/sys/kern/kern_jail.c Thu Jun 4 18:09:55 2020 (r361798) +++ head/sys/kern/kern_jail.c Thu Jun 4 18:17:25 2020 (r361799) @@ -3324,6 +3324,14 @@ prison_priv_check(struct ucred *cred, int priv) return (EPERM); /* + * Jails should hold no disposition on the PRIV_VFS_READ_DIR + * policy. priv_check_cred will not specifically allow it, and + * we may want a MAC policy to allow it. + */ + case PRIV_VFS_READ_DIR: + return (0); + + /* * Conditionnaly allow locking (unlocking) physical pages * in memory. */ Modified: head/sys/kern/kern_priv.c ============================================================================== --- head/sys/kern/kern_priv.c Thu Jun 4 18:09:55 2020 (r361798) +++ head/sys/kern/kern_priv.c Thu Jun 4 18:17:25 2020 (r361799) @@ -194,6 +194,14 @@ priv_check_cred(struct ucred *cred, int priv) goto out; } break; + case PRIV_VFS_READ_DIR: + /* + * Allow PRIV_VFS_READ_DIR for root if we're not in a + * jail, otherwise deny unless a MAC policy grants it. + */ + if (jailed(cred)) + break; + /* FALLTHROUGH */ default: if (cred->cr_uid == 0) { error = 0; Modified: head/sys/kern/vfs_vnops.c ============================================================================== --- head/sys/kern/vfs_vnops.c Thu Jun 4 18:09:55 2020 (r361798) +++ head/sys/kern/vfs_vnops.c Thu Jun 4 18:17:25 2020 (r361799) @@ -1226,12 +1226,16 @@ vn_io_fault(struct file *fp, struct uio *uio, struct u * The ability to read(2) on a directory has historically been * allowed for all users, but this can and has been the source of * at least one security issue in the past. As such, it is now hidden - * away behind a sysctl for those that actually need it to use it. + * away behind a sysctl for those that actually need it to use it, and + * restricted to root when it's turned on to make it relatively safe to + * leave on for longer sessions of need. */ if (vp->v_type == VDIR) { KASSERT(uio->uio_rw == UIO_READ, ("illegal write attempted on a directory")); if (!vfs_allow_read_dir) + return (EISDIR); + if ((error = priv_check(td, PRIV_VFS_READ_DIR)) != 0) return (EISDIR); } Modified: head/sys/sys/priv.h ============================================================================== --- head/sys/sys/priv.h Thu Jun 4 18:09:55 2020 (r361798) +++ head/sys/sys/priv.h Thu Jun 4 18:17:25 2020 (r361799) @@ -283,6 +283,7 @@ #define PRIV_VFS_SYSFLAGS 342 /* Can modify system flags. */ #define PRIV_VFS_UNMOUNT 343 /* Can unmount(). */ #define PRIV_VFS_STAT 344 /* Override vnode MAC stat perm. */ +#define PRIV_VFS_READ_DIR 345 /* Can read(2) a dirfd, needs sysctl. */ /* * Virtual memory privileges.