Date: Sat, 15 Jun 2013 17:23:50 -0600 From: Jamie Gritton <jamie@FreeBSD.org> To: FreeBSD Current <freebsd-current@FreeBSD.org> Cc: Kirk McKusick <mckusick@mckusick.com>, Konstantin Belousov <kostikbel@gmail.com>, Robert Watson <rwatson@FreeBSD.org>, Alexander Leidinger <netchild@FreeBSD.org> Subject: Re: A PRIV_* flag for /dev/mem? Message-ID: <51BCF786.2070603@FreeBSD.org> In-Reply-To: <201305202256.r4KMuWpH055366@chez.mckusick.com> References: <201305202256.r4KMuWpH055366@chez.mckusick.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------030503080608040607080208
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
On 05/20/13 16:56, Kirk McKusick wrote:
> I pointed Robert and Pawel at your discussion on creating a new
> PRIV_KMEM and adding a check for it in memopen(). I am of the opinion
> that this is a good idea, but I am hoping that one of Robert or Pawel
> will comment since they are much more active in this area.
I suppose it's safe to say further comment isn't forthcoming. So with
one vote for and one against (or at least questioning), I'll humbly
leave it up to myself to be the tie-breaker :-).
Here's a proposed patch. I separate kmem access into read and write, as
I saw other similar splits in the priv list. Perhaps that's overkill,
and I can use a single PRIV_KMEM instead of PRIV_KMEM_READ and
PRIV_KMEM_WRITE.
Perhaps this is an overreach, because PRIV_KMEM_READ is used where the
default isn't root privilege: the file permission and expected usage are
group kmem gets to read /dev/[k]mem. I'm not about to go hard-coding a
gid into the kernel, so it seems the proper thing to do (not included in
the patch) would be to allow PRIV_KMEM_READ by default. I thought there
might already be such cases where the default is to allow, but no: this
would be the first default-allow permission. So perhaps the best answer
is not worry about that one, and only add PRIV_KMEM_WRITE (leaving reads
controlled by file permission alone as they are now).
- Jamie
--------------030503080608040607080208
Content-Type: text/plain;
name="kmem.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="kmem.diff"
Index: sys/sys/priv.h
===================================================================
--- sys/sys/priv.h (revision 251793)
+++ sys/sys/priv.h (working copy)
@@ -494,9 +494,15 @@
#define PRIV_RCTL_REMOVE_RULE 674
/*
+ * Kernel memory privileges.
+ */
+#define PRIV_KMEM_READ 680 /* Read from kernel memory. */
+#define PRIV_KMEM_WRITE 681 /* Write to kernel memory. */
+
+/*
* Track end of privilege list.
*/
-#define _PRIV_HIGHEST 675
+#define _PRIV_HIGHEST 682
/*
* Validate that a named privilege is known by the privilege system. Invalid
Index: sys/kern/kern_priv.c
===================================================================
--- sys/kern/kern_priv.c (revision 251793)
+++ sys/kern/kern_priv.c (working copy)
@@ -142,6 +142,15 @@
}
/*
+ * Writes to kernel memory are a typical root-only operation,
+ * but non-root users are expected to be able to read it.
+ */
+ if (priv == PRIV_KMEM_READ) {
+ error = 0;
+ goto out;
+ }
+
+ /*
* Now check with MAC, if enabled, to see if a policy module grants
* privilege.
*/
Index: sys/dev/mem/memdev.c
===================================================================
--- sys/dev/mem/memdev.c (revision 251793)
+++ sys/dev/mem/memdev.c (working copy)
@@ -67,8 +67,14 @@
{
int error = 0;
- if (flags & FWRITE)
- error = securelevel_gt(td->td_ucred, 0);
+ if (flags & FREAD)
+ error = priv_check(td, PRIV_KMEM_READ);
+ if (flags & FWRITE) {
+ if (error != 0)
+ error = priv_check(td, PRIV_KMEM_WRITE);
+ if (error != 0)
+ error = securelevel_gt(td->td_ucred, 0);
+ }
return (error);
}
--------------030503080608040607080208--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51BCF786.2070603>