From owner-freebsd-hackers@freebsd.org Sat May 16 17:58:57 2020 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id AE0572F86FD; Sat, 16 May 2020 17:58:57 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from slim.berklix.org (slim.berklix.org [94.185.90.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "slim.berklix.org", Issuer "slim.berklix.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 49PY1X1fGvz3Jrt; Sat, 16 May 2020 17:58:55 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from mart.js.berklix.net (p2E52C9E4.dip0.t-ipconnect.de [46.82.201.228]) (authenticated bits=128) by slim.berklix.org (8.15.2/8.15.2) with ESMTPSA id 04GHwm6B081960 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 16 May 2020 19:58:52 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id 04GHwldH008345; Sat, 16 May 2020 19:58:48 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id 04GHwbpZ038671; Sat, 16 May 2020 19:58:47 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <202005161758.04GHwbpZ038671@fire.js.berklix.net> To: Kyle Evans cc: "freebsd-arch@freebsd.org" , "freebsd-hackers@freebsd.org" Subject: Re: [HEADSUP] Disallowing read() of a directory fd From: "Julian H. Stacey" Organization: http://berklix.com/jhs http://stolenvotes.uk User-agent: EXMH on FreeBSD http://berklix.com/free/ X-From: http://www.berklix.org/~jhs/ In-reply-to: Your message "Sat, 16 May 2020 11:26:11 -0500." Date: Sat, 16 May 2020 19:58:37 +0200 X-Rspamd-Queue-Id: 49PY1X1fGvz3Jrt X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of jhs@berklix.com has no SPF policy when checking 94.185.90.68) smtp.mailfrom=jhs@berklix.com X-Spamd-Result: default: False [0.21 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[berklix.com]; AUTH_NA(1.00)[]; HAS_ORG_HEADER(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; IP_SCORE(-0.00)[ip: (0.01), ipnet: 94.185.88.0/22(0.01), asn: 33824(-0.00), country: DE(-0.02)]; NEURAL_SPAM_LONG(0.11)[0.107,0]; RCVD_IN_DNSWL_NONE(0.00)[68.90.185.94.list.dnswl.org : 127.0.10.0]; NEURAL_HAM_MEDIUM(-0.80)[-0.797,0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:33824, ipnet:94.185.88.0/22, country:DE]; RCVD_TLS_LAST(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[228.201.82.46.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.10] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 May 2020 17:58:57 -0000 Kyle Evans wrote: > On Sat, May 16, 2020 at 10:18 AM Julian H. Stacey wrote: > > > > Another use of "cat ." is to see names of transient files a tool > > creates, & normaly deletes, if not aborting, so one can find same > > name junk elsewhere, & search for tool causing junk, > > & ensure other data files avoid using names that would be zapped. > > > > While blocking "cat ." might be worked round if not in a jail, & > > or if using fsdb & sysctl etc, it would add to a more BSD specific > > environment, where standard portable Unix skills was insufficient, > > & more time needed to search & learn BSD extras. Every obstacle > > costs employers time = money. > > > > This scenario is just a bit too generic for me to be able to relate > to, because I've never been in a situation where I would've had to or > just randomly used `cat .` to discover junk files. Yes, it's a rare usage, I dont do it often. > This also isn't > really a transferable skill to other modern OS and filesystems, as > oftentimes they won't or can't give you anything useful with read(2). > > That said, I've written a MAC policy that can live atop the current > patch to lift all of the restrictions except the sysctl needing to be > set: https://people.freebsd.org/~kevans/mac-read_dir.diff -> I could > even be convinced fairly easily to commit it, if you'd find that > acceptable. The policy ends up looking generically useful, as you can > lift just the jail root restriction or you can allow any user to cat a > directory. > > Thanks, > > Kyle Evans Thanks, It's good if its all sysctl without reboot, (taking (phk's I recall) point about an fs not surviving a reboot) It sounds useful, if it allows 3 or is that more ? way choice between eg {old v. new} x { root v. non root } x { inside a jail v. outside } = 8 ? If all of that, I guess we'd just be down to a relaxed consideration about what default mode was for now & later. If there was change there, we'd need to check what policy is about giving advance notice of changes in RELNOTES. If RELNOTES required long notice than wanted , that could be worked round easily by implementing code, & merely issuing notice that defaults would change to new policy later at releasese x.y. I took a quick glance at https://people.freebsd.org/~kevans/mac-read_dir.diff but I'm sorry loads of real life distraction here. I'm sure others will want to read it. Thanks for working hard to cater for all cases ! :-) Cheers -- Julian Stacey, Consultant Systems Engineer, BSD Linux http://berklix.com/jhs/ http://www.berklix.org/corona/#masks Tie 2 handkerchiefs or 1 pillow case. Jobs & economy hit by Corona to be hit again by Crash Brexit 31st Dec. 2020