From owner-freebsd-stable@FreeBSD.ORG Sat Aug 9 11:05:59 2008 Return-Path: Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CEFB81065671; Sat, 9 Aug 2008 11:05:59 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id A35B98FC1A; Sat, 9 Aug 2008 11:05:59 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id E17BF46CC8; Sat, 9 Aug 2008 07:05:58 -0400 (EDT) Date: Sat, 9 Aug 2008 12:05:58 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: freebsd-stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, thompsa@FreeBSD.ORG In-Reply-To: <200808081318.m78DIaXJ017555@lurza.secnetix.de> Message-ID: References: <200808081318.m78DIaXJ017555@lurza.secnetix.de> User-Agent: Alpine 1.10 (BSF 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: Re: should looking at an interface with 'ifconfig' trigger a ?change ? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Aug 2008 11:05:59 -0000 On Fri, 8 Aug 2008, Oliver Fromme wrote: > Andrew Thompson wrote: > > Pete French wrote: > > > > The bce driver is not properly generating link state events. > > > > > > OK, that explains why it doesnt failover - but why does looking at it > > > with ifconfig make a difference ? surely that should be 'read only ? > > > > ifconfig will cause the media status to be read from the hardware at which > > time the link change is generated as it is different to the stored value. > > Shouldn't that be considered a security flaw? After all, you can perform > "ifconfig $IF" inside a jail to list the interface configuration, but you're > not allowed to make any changes. > > Given your description above, it means that it is possible to modify the > interface configuration (cause a failover) from within a jail. That's not > good. I think that needs to be fixed, or at the very least it needs to be > properly documented. While obviously a serious bug (link state notifications are required so that, for example, aggregates can take interfaces going down, or up, into account), I don't see this as a security flaw. The administrator intends for the higher abstraction state transition to be triggered by the lower one, but the problem is that the time it takes for that notification to take place is effectively non-deterministic. If they didn't want the higher level transition to take place, then they shouldn't have configured it that way. On the whole, we make no attempt to limit covert channels from jails to the host system, and there are potentially lots of interactions between them, so its not a violation of the security policy for jails. That said, this definitely needs to be fixed, as things like fail-over and routing updates happen pretty poorly otherwise. The epistemology of security flaws is complicated, needless to say... Robert N M Watson Computer Laboratory University of Cambridge