Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 7 Aug 2005 09:23:13 +0400 (MSD)
From:      Stanislav Sedov <stas@310.ru>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   kern/84635: md(4) driver breaks strict security rules
Message-ID:  <200508070523.j775ND4W050142@dracon.310.ru>
Resent-Message-ID: <200508070530.j775UH8Q073457@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         84635
>Category:       kern
>Synopsis:       md(4) driver breaks strict security rules
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Aug 07 05:30:17 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Stanislav Sedov
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
310.ru [Tridesyatoe]
>Environment:
System: FreeBSD stalingrad.realnet 7.0-CURRENT FreeBSD 7.0-CURRENT #96: Thu Jul 28 21:05:39 UTC 2005 root@stalingrad.realnet:/work/src/fbsd-cur/src/sys/i386/compile/DESKTOP i386


	
>Description:
	md(4) drivers doesn't check write permissions off files on which it's
backed on. So somebody with root perms can write to files when schg flag is set.
Also this driver ignores MAC policies.

>How-To-Repeat:
	
>Fix:

	

--- md.c.diff begins here ---
--- sys/dev/md/md.c.orig	Wed Jul 27 11:34:28 2005
+++ sys/dev/md/md.c	Wed Jul 27 15:28:28 2005
@@ -510,6 +510,8 @@
 		error = VOP_READ(sc->vnode, &auio, IO_DIRECT, sc->cred);
 		VOP_UNLOCK(sc->vnode, 0, curthread);
 	} else {
+		if (sc->flags & MD_READONLY)
+			return ENOTSUPP;
 		(void)vn_start_write(sc->vnode, &mp, V_WAIT);
 		vn_lock(sc->vnode, LK_EXCLUSIVE | LK_RETRY, curthread);
 		error = VOP_WRITE(sc->vnode, &auio,
@@ -879,7 +881,7 @@
 	error = copyinstr(mdio->md_file, sc->file, sizeof(sc->file), NULL);
 	if (error != 0)
 		return (error);
-	flags = FREAD|FWRITE;
+	flags = sc->flags & MD_READONLY ? FREAD : (FREAD|FWRITE);
 	NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, sc->file, td);
 	error = vn_open(&nd, &flags, 0, -1);
 	if (error != 0) {
@@ -887,6 +889,7 @@
 		if (error != EACCES && error != EPERM && error != EROFS)
 			return (error);
 		flags &= ~FWRITE;
+		sc->flags |= MD_READONLY;
 		NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, sc->file, td);
 		error = vn_open(&nd, &flags, 0, -1);
 	}
--- md.c.diff ends here ---

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200508070523.j775ND4W050142>