From owner-freebsd-bugs@FreeBSD.ORG  Mon Jul 11 21:50:17 2005
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 603DC16A41F
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 11 Jul 2005 21:50:17 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9BEAC43D58
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 11 Jul 2005 21:50:16 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6BLoGW8090355
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 11 Jul 2005 21:50:16 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6BLoGmn090354;
	Mon, 11 Jul 2005 21:50:16 GMT (envelope-from gnats)
Resent-Date: Mon, 11 Jul 2005 21:50:16 GMT
Resent-Message-Id: <200507112150.j6BLoGmn090354@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Ron van Daal <bugreport@tux.linux666.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 41D0116A41C
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon, 11 Jul 2005 21:49:56 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E6E2843D45
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon, 11 Jul 2005 21:49:55 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j6BLntsw039575
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 11 Jul 2005 21:49:55 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j6BLntph039574;
	Mon, 11 Jul 2005 21:49:55 GMT (envelope-from nobody)
Message-Id: <200507112149.j6BLntph039574@www.freebsd.org>
Date: Mon, 11 Jul 2005 21:49:55 GMT
From: Ron van Daal <bugreport@tux.linux666.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-2.3
Cc: 
Subject: misc/83297: Possible issue with FreeBSD 5.4 jailing and BPF
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2005 21:50:17 -0000


>Number:         83297
>Category:       misc
>Synopsis:       Possible issue with FreeBSD 5.4 jailing and BPF
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 11 21:50:16 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Ron van Daal
>Release:        FreeBSD 5.4-RELEASE
>Organization:
Syntonic Internet
>Environment:
FreeBSD jail 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May  8 10:21:06 UTC
2005     root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
While playing around with FreeBSD 5.4 and jailing I discovered that it was possible to put an ethernet interface into promiscious mode from within the jailed environment, allowing a packetsniffer to gather data not meant for the jailed box. This also affects FreeBSD 5.3 (tested) but not FreeBSD 4.x This can be reproduced on boxes where BPF support is enabled in the kernel and a BPF device is available in the jail (badly configured devfs/no rules)

The problem lies within the FreeBSD 5.x BPF kernel code: "The Berkeley Packet Filter provides a raw interface to data link layers in a protocol independent fashion. The function bpfopen() opens an Ethernet device. There is a conditional which disallows any jailed processes from accessing this function." 

This conditional was present in the 4.x series kernels but is missing in 5.x and thus allowing free access to bpfopen() from within a jailed environment. I think this is related to the changed jailing code between these kernels. I don't believe this has been left out on purpose in favor of devfs rulesets (...) If not, I'd like to have some comments on this. 

Conclusion: Usage of devfs rulesets is highly recommended as stated in the manpages. Though a misconfiguration at this point would expose a big security issue. The question is: should bpfopen() in bpf.c check for a jailed proc or not? 

>How-To-Repeat:
Use a FreeBSD 5.4 or 5.3 kernel which has BPF support compiled in, e.g. stock FreeBSD 5-4-RELEASE. Create a jailing environment, mount the devfs filesystem (without rules) and start the jail. Check if there's a BPF device. It's now possible to put your ethernet card in promiscious mode using e.g. tcpdump.
>Fix:
I believe there must be a condition in bpfopen() (file /usr/src/sys/net/bpf.h) which checks for a jailed process. E.g. like the code in 4.x kernel BPF code: if (p->p_prison) return (EPERM);

>Release-Note:
>Audit-Trail:
>Unformatted: