From owner-freebsd-hackers@FreeBSD.ORG Mon Feb 21 22:11:20 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 980E016A4CE for ; Mon, 21 Feb 2005 22:11:20 +0000 (GMT) Received: from freebsd.czest.pl (silver.iplus.pl [80.48.250.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7ECA443D45 for ; Mon, 21 Feb 2005 22:11:19 +0000 (GMT) (envelope-from dunstan@freebsd.czest.pl) Received: from freebsd.czest.pl (freebsd.czest.pl [80.48.250.4]) by freebsd.czest.pl (8.12.10/8.12.9) with ESMTP id j1LMGv9r064225 for ; Mon, 21 Feb 2005 22:16:57 GMT (envelope-from dunstan@freebsd.czest.pl) Received: (from dunstan@localhost) by freebsd.czest.pl (8.12.10/8.12.9/Submit) id j1LMGuZR064224 for freebsd-hackers@FreeBSD.org; Mon, 21 Feb 2005 22:16:57 GMT (envelope-from dunstan) Date: Mon, 21 Feb 2005 22:16:56 +0000 From: "Wojciech A. Koszek" To: freebsd-hackers@FreeBSD.org Message-ID: <20050221221656.GA64212@freebsd.czest.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: [PATCH] Dangerous jail()<->ioctl interactions. X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Feb 2005 22:11:20 -0000 Hello hackers, I would like to let you know I've been doing [partial] audit of ioctl() code. There are some places, which may interest you. These are: sys/cam/cam_xpt.c sys/contrib/ipfilter/netinet/ip_fil.c sys/contrib/pf/net/pf_ioctl.c sys/dev/ata/ata-all.c sys/dev/md/md.c sys/geom/geom_ctl.c Those files contain ioctl()s, which let us to interact between jailed processes and each of these subsystems. Although files like /dev/mdctl should not appear in /dev with normal DEVFS rulesets, I think it would be better if FreeBSD had those ioctl() disabled within jail()ed environment. There is probably one reason for keeping ipf/pf, since someone may want fetch information about NATed connections. How to repeat? Reproducing is very simple. Test environment: # jail / hostname 127.0.0.1 /bin/csh After this step you can monipulate ATA devices: # atacontrol detach Create/remove md(4) devices: # mdconfig -a -t malloc -s 100M # mdconfig -d -u md0 Manipulate cam(4) devices: # camcontrol reset cd0 # camcontrol eject cd0 Manipulate gbde devices: # mdconfig -a -t malloc -s 10M # gbde Manipulate ipnat/ipf/pf rules: # ipnat -f /etc/ipnat.conf # ipnat -CF a # pfctl -f /etc/pf.some.rules # ipf -f /etc/ipf.some.rules Patches with simple suser() tests added are available at: (sys/cam/cam_xpt.c): http://FreeBSD.czest.pl/dunstan/FreeBSD/diff.1.jail (sys/contrib/ipfilter/netinet/ip_fil.c): http://FreeBSD.czest.pl/dunstan/FreeBSD/diff.2.jail (/usr/src/sys/contrib/pf/net/pf_ioctl.c): http://FreeBSD.czest.pl/dunstan/FreeBSD/diff.3.jail (/usr/src/sys/dev/ata/ata-all.c): http://FreeBSD.czest.pl/dunstan/FreeBSD/diff.4.jail (If someone would like to commit it, I can also write style patch). (/usr/src/sys/dev/md/md.c): http://FreeBSD.czest.pl/dunstan/FreeBSD/diff.5.jail (/usr/src/sys/geom/geom_ctl.c): http://FreeBSD.czest.pl/dunstan/FreeBSD/diff.6.jail And comments are welcome. If you find some of these patches useful, please let me know. Regards, -- * Wojciech A. Koszek && dunstan@FreeBSD.czest.pl