From nobody Tue Jul 25 01:47:30 2023 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4R90Jz3vKWz4p5tx for ; Tue, 25 Jul 2023 01:47:31 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4R90Jy5KFPz4cCT for ; Tue, 25 Jul 2023 01:47:30 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690249650; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Rq/LKPo5wTTcAVly2c+cvvbdfuorOfQDmduGQ4ifEoY=; b=Ymll85KWqCuTk3DMdKkehoLe/DZ5hopje1DcxymYkOHI4KqUDnJJcUBRcEkIJRscWBiXEc aUD7+ztFJXc8t9yumhd1U1BpInFRxPAy/mxjKZWRCIITWt/Sp9VUATCnZL8jqSxyox9zyU znPgp0lGEosscA1kq+uTdCmTNNaY4os8Vnz/SE3IJQ6gweaIePefX19lAXjMjP6qIYmNyp Jaaf3XnCrtr+8B9L2bOU/yryNull6+d8WR3+wlnY1SRlEGBnv/Z3kD0FDhlV1qDmJM+ECe 7yQD5F8U+XYndWm/BahyXS/MaBV4Pgj6CAB2MR6VXxxp7TfpgLR8bZUTSEFoLA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1690249650; a=rsa-sha256; cv=none; b=jbCq7kKUcvkEG+VvoaXaJVvXf6a04evhxIgTfOJOE46Tk14eyrE1GahYGDQ3E7TtcN8PlM jrle9aeWoX2PL8xnWxBMaE6CMsT5/PMXD0pxIS4Y7SHyXxVj9z4lLNw9O1WEVHja4P1W26 oJxIjqnayMQieri9JtAA/TpapR/H+B/2PVWA7q5rgZsg5nc78I7DWUUrYb30lwetyWIuGt 4oCFquhVM3iQ34ybo8NricEIsLzaAEQIwSA+RxPIc+/oG2wbouzprHGEW/Sm0anUSt8Y3O DqXIqifqJYK4K2Cwhlx5Vbo7qMEjYiOnT5/BDELoxT5yBUaYuBrN3PiX3HHmfQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4R90Jy4H9GzhGC for ; Tue, 25 Jul 2023 01:47:30 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 36P1lUoY075416 for ; Tue, 25 Jul 2023 01:47:30 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 36P1lUQt075415 for bugs@FreeBSD.org; Tue, 25 Jul 2023 01:47:30 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 272706] procstat(1): procstat vm in jails shows host paths of binaries and shared libraries from outside prison Date: Tue, 25 Jul 2023 01:47:30 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: elizabeth.jennifer.myers@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272706 Bug ID: 272706 Summary: procstat(1): procstat vm in jails shows host paths of binaries and shared libraries from outside prison Product: Base System Version: 13.2-STABLE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: elizabeth.jennifer.myers@gmail.com procstat(1)'s vm subcommand in jails shows host paths of shared libraries a= nd binaries from outside the prison (example below). I am selecting the kernel component, because I suspect this is an issue in = the kernel, rather than the procstat vm command. I could be wrong, though. It is extremely unlikely that this can be used for a meaningful exploit, bu= t is more of an aesthetic issue. It is worth noting only root in the jail can execute this subcommand. Things that do not help (tested on 13.2): =E2=80=93 Disallowing kmem and /dev/io in the jail =E2=80=93 Disallowing procfs in the jail =E2=80=93 sysctl security.bsd.unprivileged_proc_debug=3D0 in the host Here is an example: root@z6a.info:/ # procstat vm 989 PID START END PRT RES PRES REF SHD FLAG TP = PATH 989 0x20210af3000 0x20210af7000 r-- 4 10 22 2 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/usr/sbin/rtsold 989 0x20210af7000 0x20210afe000 r-x 7 10 22 2 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/usr/sbin/rtsold 989 0x20210afe000 0x20210aff000 rw- 1 0 5 0 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/usr/sbin/rtsold 989 0x20210aff000 0x20210b01000 rw- 2 0 1 0 C---- sw 989 0x20a11ab8000 0x20a31a98000 --- 0 0 0 0 ----- gd 989 0x20a31a98000 0x20a31ab8000 rw- 3 0 1 0 C--D- sw 989 0x20a32148000 0x20a32169000 rw- 7 0 1 0 C---- sw 989 0x20a3290c000 0x20a3290f000 r-- 3 6 32 12 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libcasper.so.1 989 0x20a3290f000 0x20a32912000 r-x 3 6 32 12 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libcasper.so.1 989 0x20a32912000 0x20a32913000 r-- 1 0 5 0 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libcasper.so.1 989 0x20a32913000 0x20a32914000 rw- 1 0 5 0 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libcasper.so.1 989 0x20a32914000 0x20a32915000 rw- 1 0 1 0 C---- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libcasper.so.1 989 0x20a3335c000 0x20a33364000 r-- 7 19 52 18 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libutil.so.9 989 0x20a33364000 0x20a3336f000 r-x 11 19 52 18 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libutil.so.9 989 0x20a3336f000 0x20a33370000 rw- 1 0 5 0 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libutil.so.9 989 0x20a33370000 0x20a33371000 rw- 1 0 1 0 C---- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libutil.so.9 989 0x20a33371000 0x20a33373000 rw- 0 0 0 0 ----- -- 989 0x20a33855000 0x20a33856000 r-- 1 2 24 4 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/casper/libcap_syslog.so.1 989 0x20a33856000 0x20a33858000 r-x 2 2 24 4 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/casper/libcap_syslog.so.1 989 0x20a33858000 0x20a33859000 rw- 1 0 5 0 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/casper/libcap_syslog.so.1 989 0x20a33859000 0x20a3385a000 rw- 1 0 1 0 C---- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/casper/libcap_syslog.so.1 989 0x20a34523000 0x20a345a8000 r-- 78 321 89 41 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libc.so.7 989 0x20a345a8000 0x20a346f3000 r-x 219 321 89 41 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libc.so.7 989 0x20a346f3000 0x20a346fc000 r-- 9 0 5 0 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libc.so.7 989 0x20a346fc000 0x20a346fd000 rw- 1 0 5 0 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libc.so.7 989 0x20a346fd000 0x20a34704000 rw- 7 0 1 0 C---- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libc.so.7 989 0x20a34704000 0x20a34926000 rw- 7 0 1 0 C---- sw 989 0x20a355cd000 0x20a355d7000 r-- 8 20 30 10 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libnv.so.0 989 0x20a355d7000 0x20a355e4000 r-x 12 20 30 10 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libnv.so.0 989 0x20a355e4000 0x20a355e5000 rw- 1 0 5 0 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libnv.so.0 989 0x20a355e5000 0x20a355e7000 rw- 2 0 1 0 C---- vn /usr/jails/basejail/base_amd64_amd64_13.2/lib/libnv.so.0 989 0x20a36200000 0x20a36400000 rw- 2 0 1 0 C---- sw 989 0x20a366f9000 0x20a368f9000 rw- 18 0 1 0 C---- sw 989 0x20a37800000 0x20a37c00000 rw- 1 1 1 0 C---- sw 989 0x20a38947000 0x20a38948000 rw- 0 0 1 0 ----- sw 989 0x31ae14de4000 0x31ae14deb000 r-- 7 29 76 28 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/libexec/ld-elf.so.1 989 0x31ae14deb000 0x31ae14e01000 r-x 22 29 76 28 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/libexec/ld-elf.so.1 989 0x31ae14e01000 0x31ae14e02000 r-- 1 0 5 0 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/libexec/ld-elf.so.1 989 0x31ae14e02000 0x31ae14e03000 rw- 1 0 5 0 CN--- vn /usr/jails/basejail/base_amd64_amd64_13.2/libexec/ld-elf.so.1 989 0x31ae14e03000 0x31ae14e04000 rw- 0 0 1 0 C---- sw 989 0x7fffffffe000 0x7ffffffff000 r-x 1 1 59 0 ----- ph --=20 You are receiving this mail because: You are the assignee for the bug.=