kern/55163: [patch] hide kld system details from jails
Dmitry Morozovsky
marck at rinet.ru
Fri Aug 1 12:10:20 PDT 2003
>Number: 55163
>Category: kern
>Synopsis: [patch] hide kld system details from jails
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Fri Aug 01 12:10:18 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Dmitry Morozovsky
>Release: FreeBSD 4-STABLE i386
>Organization:
Cronyx Plus LLC (RiNet ISP)
>Environment:
System: FreeBSD 4-STABLE
>Description:
It would be useful if we could hide kernel modules structure from jailed
processes.
The following patch (against -STABLE; AFAICS under -CURRENT similar
functionality is achieved vim MAC) adds sysctl jail.kldread_allowed (defaults
to 1 to preserve POLA) which, when cleared, disables read-only kld sysctls for
jailed processes.
>How-To-Repeat:
[before the patch]:
#jail /path/to/jail/root jail.host.name 10.0.0.1 /bin/sh
#kldstat
Id Refs Address Size Name
1 8 0xc0100000 172230 kernel
...
#
[after the patch]:
#sysctl jail.kldread_allowed=0
jail.kldread_allowed: 1 -> 0
#jail /path/to/jail/root jail.host.name 10.0.0.1 /bin/sh
#kldstat
Id Refs Address Size Name
#
>Fix:
Index: sys/sys/jail.h
===================================================================
RCS file: /home/ncvs/src/sys/sys/jail.h,v
retrieving revision 1.8.2.2
diff -u -r1.8.2.2 jail.h
--- sys/sys/jail.h 1 Nov 2000 17:58:06 -0000 1.8.2.2
+++ sys/sys/jail.h 1 Aug 2003 18:50:06 -0000
@@ -49,6 +49,7 @@
extern int jail_set_hostname_allowed;
extern int jail_socket_unixiproute_only;
extern int jail_sysvipc_allowed;
+extern int jail_kldread_allowed;
#endif /* !_KERNEL */
#endif /* !_SYS_JAIL_H_ */
Index: sys/kern/kern_jail.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_jail.c,v
retrieving revision 1.6.2.3
diff -u -r1.6.2.3 kern_jail.c
--- sys/kern/kern_jail.c 17 Aug 2001 01:00:26 -0000 1.6.2.3
+++ sys/kern/kern_jail.c 1 Aug 2003 18:50:06 -0000
@@ -44,6 +44,11 @@
&jail_sysvipc_allowed, 0,
"Processes in jail can use System V IPC primitives");
+int jail_kldread_allowed = 1;
+SYSCTL_INT(_jail, OID_AUTO, kldread_allowed, CTLFLAG_RW,
+ &jail_kldread_allowed, 0,
+ "Processes in jail can query kld system");
+
int
jail(p, uap)
struct proc *p;
Index: sys/kern/kern_linker.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_linker.c,v
retrieving revision 1.41.2.3
diff -u -r1.41.2.3 kern_linker.c
--- sys/kern/kern_linker.c 21 Nov 2001 17:50:35 -0000 1.41.2.3
+++ sys/kern/kern_linker.c 1 Aug 2003 18:50:06 -0000
@@ -43,6 +43,7 @@
#include <sys/namei.h>
#include <sys/vnode.h>
#include <sys/sysctl.h>
+#include <sys/jail.h>
#include <vm/vm_zone.h>
@@ -727,6 +728,9 @@
linker_file_t lf;
int error = 0;
+ if (!jail_kldread_allowed && p && p->p_prison)
+ return EPERM;
+
p->p_retval[0] = -1;
filename = malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
@@ -755,6 +759,9 @@
linker_file_t lf;
int error = 0;
+ if (!jail_kldread_allowed && p && p->p_prison)
+ return EPERM;
+
if (SCARG(uap, fileid) == 0) {
if (TAILQ_FIRST(&linker_files))
p->p_retval[0] = TAILQ_FIRST(&linker_files)->id;
@@ -784,6 +791,9 @@
struct kld_file_stat* stat;
int namelen;
+ if (!jail_kldread_allowed && p && p->p_prison)
+ return EPERM;
+
lf = linker_find_file_by_id(SCARG(uap, fileid));
if (!lf) {
error = ENOENT;
@@ -828,6 +838,9 @@
linker_file_t lf;
int error = 0;
+ if (!jail_kldread_allowed && p && p->p_prison)
+ return EPERM;
+
lf = linker_find_file_by_id(SCARG(uap, fileid));
if (lf) {
if (TAILQ_FIRST(&lf->modules))
@@ -849,6 +862,9 @@
linker_file_t lf;
struct kld_sym_lookup lookup;
int error = 0;
+
+ if (!jail_kldread_allowed && p && p->p_prison)
+ return EPERM;
if ((error = copyin(SCARG(uap, data), &lookup, sizeof(lookup))) != 0)
goto out;
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list