From owner-svn-src-stable-11@freebsd.org Sat Oct 20 16:20:38 2018 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3BDB5FEB22B; Sat, 20 Oct 2018 16:20:38 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D418478FDC; Sat, 20 Oct 2018 16:20:37 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id CED7520562; Sat, 20 Oct 2018 16:20:37 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w9KGKbOV071858; Sat, 20 Oct 2018 16:20:37 GMT (envelope-from jamie@FreeBSD.org) Received: (from jamie@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w9KGKaRQ071853; Sat, 20 Oct 2018 16:20:36 GMT (envelope-from jamie@FreeBSD.org) Message-Id: <201810201620.w9KGKaRQ071853@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jamie set sender to jamie@FreeBSD.org using -f From: Jamie Gritton Date: Sat, 20 Oct 2018 16:20:36 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r339446 - in stable/11: sys/kern sys/sys usr.sbin/jail X-SVN-Group: stable-11 X-SVN-Commit-Author: jamie X-SVN-Commit-Paths: in stable/11: sys/kern sys/sys usr.sbin/jail X-SVN-Commit-Revision: 339446 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Oct 2018 16:20:38 -0000 Author: jamie Date: Sat Oct 20 16:20:36 2018 New Revision: 339446 URL: https://svnweb.freebsd.org/changeset/base/339446 Log: MFC r339409, r339420: Add a new jail permission, allow.read_msgbuf. When true, jailed processes can see the dmesg buffer (this is the current behavior). When false (the new default), dmesg will be unavailable to jailed users, whether root or not. The security.bsd.unprivileged_read_msgbuf sysctl still works as before, controlling system-wide whether non-root users can see the buffer. PR: 211580 Submitted by: bz Modified: stable/11/sys/kern/kern_jail.c stable/11/sys/kern/kern_priv.c stable/11/sys/kern/subr_prf.c stable/11/sys/sys/jail.h stable/11/usr.sbin/jail/jail.8 Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/kern/kern_jail.c ============================================================================== --- stable/11/sys/kern/kern_jail.c Fri Oct 19 10:05:02 2018 (r339445) +++ stable/11/sys/kern/kern_jail.c Sat Oct 20 16:20:36 2018 (r339446) @@ -200,6 +200,7 @@ static char *pr_allow_names[] = { "allow.mount.fdescfs", "allow.mount.linprocfs", "allow.mount.linsysfs", + "allow.read_msgbuf", }; const size_t pr_allow_names_size = sizeof(pr_allow_names); @@ -219,6 +220,7 @@ static char *pr_allow_nonames[] = { "allow.mount.nofdescfs", "allow.mount.nolinprocfs", "allow.mount.nolinsysfs", + "allow.noread_msgbuf", }; const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); @@ -3348,6 +3350,15 @@ prison_priv_check(struct ucred *cred, int priv) case PRIV_PROC_SETLOGINCLASS: return (0); + /* + * Do not allow a process inside a jail to read the kernel + * message buffer unless explicitly permitted. + */ + case PRIV_MSGBUF: + if (cred->cr_prison->pr_allow & PR_ALLOW_READ_MSGBUF) + return (0); + return (EPERM); + default: /* * In all remaining cases, deny the privilege request. This @@ -3796,6 +3807,8 @@ SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLA "B", "Jail may set file quotas"); SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); +SYSCTL_JAIL_PARAM(_allow, read_msgbuf, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may read the kernel message buffer"); SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, Modified: stable/11/sys/kern/kern_priv.c ============================================================================== --- stable/11/sys/kern/kern_priv.c Fri Oct 19 10:05:02 2018 (r339445) +++ stable/11/sys/kern/kern_priv.c Sat Oct 20 16:20:36 2018 (r339446) @@ -60,6 +60,11 @@ static int unprivileged_mlock = 1; SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_mlock, CTLFLAG_RWTUN, &unprivileged_mlock, 0, "Allow non-root users to call mlock(2)"); +static int unprivileged_read_msgbuf = 1; +SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_read_msgbuf, + CTLFLAG_RW, &unprivileged_read_msgbuf, 0, + "Unprivileged processes may read the kernel message buffer"); + SDT_PROVIDER_DEFINE(priv); SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv__ok, "int"); SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv__err, "int"); @@ -102,6 +107,17 @@ priv_check_cred(struct ucred *cred, int priv, int flag switch (priv) { case PRIV_VM_MLOCK: case PRIV_VM_MUNLOCK: + error = 0; + goto out; + } + } + + if (unprivileged_read_msgbuf) { + /* + * Allow an unprivileged user to read the kernel message + * buffer. + */ + if (priv == PRIV_MSGBUF) { error = 0; goto out; } Modified: stable/11/sys/kern/subr_prf.c ============================================================================== --- stable/11/sys/kern/subr_prf.c Fri Oct 19 10:05:02 2018 (r339445) +++ stable/11/sys/kern/subr_prf.c Sat Oct 20 16:20:36 2018 (r339446) @@ -1042,11 +1042,6 @@ msgbufinit(void *ptr, int size) oldp = msgbufp; } -static int unprivileged_read_msgbuf = 1; -SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_read_msgbuf, - CTLFLAG_RW, &unprivileged_read_msgbuf, 0, - "Unprivileged processes may read the kernel message buffer"); - /* Sysctls for accessing/clearing the msgbuf */ static int sysctl_kern_msgbuf(SYSCTL_HANDLER_ARGS) @@ -1055,11 +1050,9 @@ sysctl_kern_msgbuf(SYSCTL_HANDLER_ARGS) u_int seq; int error, len; - if (!unprivileged_read_msgbuf) { - error = priv_check(req->td, PRIV_MSGBUF); - if (error) - return (error); - } + error = priv_check(req->td, PRIV_MSGBUF); + if (error) + return (error); /* Read the whole buffer, one chunk at a time. */ mtx_lock(&msgbuf_lock); Modified: stable/11/sys/sys/jail.h ============================================================================== --- stable/11/sys/sys/jail.h Fri Oct 19 10:05:02 2018 (r339445) +++ stable/11/sys/sys/jail.h Sat Oct 20 16:20:36 2018 (r339446) @@ -230,7 +230,8 @@ struct prison_racct { #define PR_ALLOW_MOUNT_FDESCFS 0x1000 #define PR_ALLOW_MOUNT_LINPROCFS 0x2000 #define PR_ALLOW_MOUNT_LINSYSFS 0x4000 -#define PR_ALLOW_ALL 0x7fff +#define PR_ALLOW_READ_MSGBUF 0x8000 +#define PR_ALLOW_ALL 0xffff /* * OSD methods Modified: stable/11/usr.sbin/jail/jail.8 ============================================================================== --- stable/11/usr.sbin/jail/jail.8 Fri Oct 19 10:05:02 2018 (r339445) +++ stable/11/usr.sbin/jail/jail.8 Sat Oct 20 16:20:36 2018 (r339446) @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd April 30, 2016 +.Dd October 20, 2018 .Dt JAIL 8 .Os .Sh NAME @@ -607,6 +607,11 @@ within a jail. The jail root may administer quotas on the jail's filesystem(s). This includes filesystems that the jail may share with other jails or with non-jailed parts of the system. +.It Va allow.read_msgbuf +Jailed users may read the kernel message buffer. +If the +.Va security.bsd.unprivileged_read_msgbuf +MIB entry is zero, this will be restricted to the root user. .It Va allow.socket_af Sockets within a jail are normally restricted to IPv4, IPv6, local (UNIX), and route. This allows access to other protocol stacks that