Date: Tue, 25 Jul 2023 01:47:30 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 272706] procstat(1): procstat vm in jails shows host paths of binaries and shared libraries from outside prison Message-ID: <bug-272706-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272706 Bug ID: 272706 Summary: procstat(1): procstat vm in jails shows host paths of binaries and shared libraries from outside prison Product: Base System Version: 13.2-STABLE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: elizabeth.jennifer.myers@gmail.com procstat(1)'s vm subcommand in jails shows host paths of shared libraries a= nd binaries from outside the prison (example below). I am selecting the kernel component, because I suspect this is an issue in = the kernel, rather than the procstat vm command. I could be wrong, though. It is extremely unlikely that this can be used for a meaningful exploit, bu= t is more of an aesthetic issue. It is worth noting only root in the jail can execute this subcommand. Things that do not help (tested on 13.2): =E2=80=93 Disallowing kmem and /dev/io in the jail =E2=80=93 Disallowing procfs in the jail =E2=80=93 sysctl security.bsd.unprivileged_proc_debug=3D0 in the host Here is an example: root@z6a.info:/ # procstat vm 989 PID START END PRT RES PRES REF SHD FLAG TP = PATH 989 0x20210af3000 0x20210af7000 r-- 4 10 22 2 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/usr/sbin/rtsold 989 0x20210af7000 0x20210afe000 r-x 7 10 22 2 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/usr/sbin/rtsold 989 0x20210afe000 0x20210aff000 rw- 1 0 5 0 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/usr/sbin/rtsold 989 0x20210aff000 0x20210b01000 rw- 2 0 1 0 C---- sw 989 0x20a11ab8000 0x20a31a98000 --- 0 0 0 0 ----- gd 989 0x20a31a98000 0x20a31ab8000 rw- 3 0 1 0 C--D- sw 989 0x20a32148000 0x20a32169000 rw- 7 0 1 0 C---- sw 989 0x20a3290c000 0x20a3290f000 r-- 3 6 32 12 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libcasper.so.1 989 0x20a3290f000 0x20a32912000 r-x 3 6 32 12 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libcasper.so.1 989 0x20a32912000 0x20a32913000 r-- 1 0 5 0 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libcasper.so.1 989 0x20a32913000 0x20a32914000 rw- 1 0 5 0 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libcasper.so.1 989 0x20a32914000 0x20a32915000 rw- 1 0 1 0 C---- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libcasper.so.1 989 0x20a3335c000 0x20a33364000 r-- 7 19 52 18 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libutil.so.9 989 0x20a33364000 0x20a3336f000 r-x 11 19 52 18 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libutil.so.9 989 0x20a3336f000 0x20a33370000 rw- 1 0 5 0 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libutil.so.9 989 0x20a33370000 0x20a33371000 rw- 1 0 1 0 C---- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libutil.so.9 989 0x20a33371000 0x20a33373000 rw- 0 0 0 0 ----- -- 989 0x20a33855000 0x20a33856000 r-- 1 2 24 4 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/casper/libcap_syslog.so.1 989 0x20a33856000 0x20a33858000 r-x 2 2 24 4 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/casper/libcap_syslog.so.1 989 0x20a33858000 0x20a33859000 rw- 1 0 5 0 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/casper/libcap_syslog.so.1 989 0x20a33859000 0x20a3385a000 rw- 1 0 1 0 C---- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/casper/libcap_syslog.so.1 989 0x20a34523000 0x20a345a8000 r-- 78 321 89 41 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libc.so.7 989 0x20a345a8000 0x20a346f3000 r-x 219 321 89 41 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libc.so.7 989 0x20a346f3000 0x20a346fc000 r-- 9 0 5 0 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libc.so.7 989 0x20a346fc000 0x20a346fd000 rw- 1 0 5 0 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libc.so.7 989 0x20a346fd000 0x20a34704000 rw- 7 0 1 0 C---- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libc.so.7 989 0x20a34704000 0x20a34926000 rw- 7 0 1 0 C---- sw 989 0x20a355cd000 0x20a355d7000 r-- 8 20 30 10 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libnv.so.0 989 0x20a355d7000 0x20a355e4000 r-x 12 20 30 10 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libnv.so.0 989 0x20a355e4000 0x20a355e5000 rw- 1 0 5 0 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libnv.so.0 989 0x20a355e5000 0x20a355e7000 rw- 2 0 1 0 C---- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libnv.so.0 989 0x20a36200000 0x20a36400000 rw- 2 0 1 0 C---- sw 989 0x20a366f9000 0x20a368f9000 rw- 18 0 1 0 C---- sw 989 0x20a37800000 0x20a37c00000 rw- 1 1 1 0 C---- sw 989 0x20a38947000 0x20a38948000 rw- 0 0 1 0 ----- sw 989 0x31ae14de4000 0x31ae14deb000 r-- 7 29 76 28 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/libexec/ld-elf.so.1 989 0x31ae14deb000 0x31ae14e01000 r-x 22 29 76 28 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/libexec/ld-elf.so.1 989 0x31ae14e01000 0x31ae14e02000 r-- 1 0 5 0 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/libexec/ld-elf.so.1 989 0x31ae14e02000 0x31ae14e03000 rw- 1 0 5 0 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/libexec/ld-elf.so.1 989 0x31ae14e03000 0x31ae14e04000 rw- 0 0 1 0 C---- sw 989 0x7fffffffe000 0x7ffffffff000 r-x 1 1 59 0 ----- ph --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-272706-227>