From owner-freebsd-bugs@FreeBSD.ORG Sun Aug 7 05:30:19 2005 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16B1F16A41F for ; Sun, 7 Aug 2005 05:30:19 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B4B3343D7B for ; Sun, 7 Aug 2005 05:30:17 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j775UH0m073461 for ; Sun, 7 Aug 2005 05:30:17 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j775UH8Q073457; Sun, 7 Aug 2005 05:30:17 GMT (envelope-from gnats) Resent-Date: Sun, 7 Aug 2005 05:30:17 GMT Resent-Message-Id: <200508070530.j775UH8Q073457@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Stanislav Sedov Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 06D2616A41F for ; Sun, 7 Aug 2005 05:23:20 +0000 (GMT) (envelope-from stas@dracon.310.ru) Received: from dracon.310.ru (dracon.310.ru [83.97.105.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 55A72443CE for ; Sun, 7 Aug 2005 05:23:19 +0000 (GMT) (envelope-from stas@dracon.310.ru) Received: from dracon.310.ru (localhost.310.ru [127.0.0.1]) by dracon.310.ru (8.13.3/8.13.1) with ESMTP id j775NI7x050143 for ; Sun, 7 Aug 2005 09:23:18 +0400 (MSD) (envelope-from stas@dracon.310.ru) Received: (from stas@localhost) by dracon.310.ru (8.13.3/8.13.1/Submit) id j775ND4W050142; Sun, 7 Aug 2005 09:23:13 +0400 (MSD) (envelope-from stas) Message-Id: <200508070523.j775ND4W050142@dracon.310.ru> Date: Sun, 7 Aug 2005 09:23:13 +0400 (MSD) From: Stanislav Sedov To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/84635: md(4) driver breaks strict security rules X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Stanislav Sedov List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Aug 2005 05:30:19 -0000 >Number: 84635 >Category: kern >Synopsis: md(4) driver breaks strict security rules >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Aug 07 05:30:17 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Stanislav Sedov >Release: FreeBSD 7.0-CURRENT i386 >Organization: 310.ru [Tridesyatoe] >Environment: System: FreeBSD stalingrad.realnet 7.0-CURRENT FreeBSD 7.0-CURRENT #96: Thu Jul 28 21:05:39 UTC 2005 root@stalingrad.realnet:/work/src/fbsd-cur/src/sys/i386/compile/DESKTOP i386 >Description: md(4) drivers doesn't check write permissions off files on which it's backed on. So somebody with root perms can write to files when schg flag is set. Also this driver ignores MAC policies. >How-To-Repeat: >Fix: --- md.c.diff begins here --- --- sys/dev/md/md.c.orig Wed Jul 27 11:34:28 2005 +++ sys/dev/md/md.c Wed Jul 27 15:28:28 2005 @@ -510,6 +510,8 @@ error = VOP_READ(sc->vnode, &auio, IO_DIRECT, sc->cred); VOP_UNLOCK(sc->vnode, 0, curthread); } else { + if (sc->flags & MD_READONLY) + return ENOTSUPP; (void)vn_start_write(sc->vnode, &mp, V_WAIT); vn_lock(sc->vnode, LK_EXCLUSIVE | LK_RETRY, curthread); error = VOP_WRITE(sc->vnode, &auio, @@ -879,7 +881,7 @@ error = copyinstr(mdio->md_file, sc->file, sizeof(sc->file), NULL); if (error != 0) return (error); - flags = FREAD|FWRITE; + flags = sc->flags & MD_READONLY ? FREAD : (FREAD|FWRITE); NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, sc->file, td); error = vn_open(&nd, &flags, 0, -1); if (error != 0) { @@ -887,6 +889,7 @@ if (error != EACCES && error != EPERM && error != EROFS) return (error); flags &= ~FWRITE; + sc->flags |= MD_READONLY; NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, sc->file, td); error = vn_open(&nd, &flags, 0, -1); } --- md.c.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted: