Date: Sat, 16 May 2020 12:52:29 -0500 From: Kyle Evans <kevans@freebsd.org> Cc: "Julian H. Stacey" <jhs@berklix.com>, "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org>, "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: [HEADSUP] Disallowing read() of a directory fd Message-ID: <CACNAnaGthrQ3WDhk5k%2BH9x%2BK14SVSeN7=4avRrNFXeu9EobtPA@mail.gmail.com> In-Reply-To: <CACNAnaFapztQL3N4sWTv1-umh96xUeZPYUoQ3imX7fhCk5c0HA@mail.gmail.com> References: <2ea8236f935a4c786a0f4f06ca1d3ea3@udns.ultimatedns.net> <202005161518.04GFIA0a099390@fire.js.berklix.net> <CACNAnaFapztQL3N4sWTv1-umh96xUeZPYUoQ3imX7fhCk5c0HA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, May 16, 2020 at 11:26 AM Kyle Evans <kevans@freebsd.org> wrote: > > On Sat, May 16, 2020 at 10:18 AM Julian H. Stacey <jhs@berklix.com> wrote: > > > > Another use of "cat ." is to see names of transient files a tool > > creates, & normaly deletes, if not aborting, so one can find same > > name junk elsewhere, & search for tool causing junk, > > & ensure other data files avoid using names that would be zapped. > > > > While blocking "cat ." might be worked round if not in a jail, & > > or if using fsdb & sysctl etc, it would add to a more BSD specific > > environment, where standard portable Unix skills was insufficient, > > & more time needed to search & learn BSD extras. Every obstacle > > costs employers time = money. > > > > This scenario is just a bit too generic for me to be able to relate > to, because I've never been in a situation where I would've had to or > just randomly used `cat .` to discover junk files. This also isn't > really a transferable skill to other modern OS and filesystems, as > oftentimes they won't or can't give you anything useful with read(2). > > That said, I've written a MAC policy that can live atop the current > patch to lift all of the restrictions except the sysctl needing to be > set: https://people.freebsd.org/~kevans/mac-read_dir.diff -> I could > even be convinced fairly easily to commit it, if you'd find that > acceptable. The policy ends up looking generically useful, as you can > lift just the jail root restriction or you can allow any user to cat a > directory. > I've finished up a manpage for this MAC module and the rest of the build infrastructure, publishing it for review here: https://reviews.freebsd.org/D24862 -> the formal dependency on the previous review has been documented. Thanks, Kyle Evans
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACNAnaGthrQ3WDhk5k%2BH9x%2BK14SVSeN7=4avRrNFXeu9EobtPA>