kern/84635: md(4) driver breaks strict security rules

Stanislav Sedov stas at 310.ru
Sun Aug 7 05:30:19 GMT 2005 

>Number:         84635
>Category:       kern
>Synopsis:       md(4) driver breaks strict security rules
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Aug 07 05:30:17 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Stanislav Sedov
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
310.ru [Tridesyatoe]
>Environment:
System: FreeBSD stalingrad.realnet 7.0-CURRENT FreeBSD 7.0-CURRENT #96: Thu Jul 28 21:05:39 UTC 2005 root at stalingrad.realnet:/work/src/fbsd-cur/src/sys/i386/compile/DESKTOP i386


	
>Description:
	md(4) drivers doesn't check write permissions off files on which it's
backed on. So somebody with root perms can write to files when schg flag is set.
Also this driver ignores MAC policies.

>How-To-Repeat:
	
>Fix:

	

--- md.c.diff begins here ---
--- sys/dev/md/md.c.orig	Wed Jul 27 11:34:28 2005
+++ sys/dev/md/md.c	Wed Jul 27 15:28:28 2005
@@ -510,6 +510,8 @@
 		error = VOP_READ(sc->vnode, &auio, IO_DIRECT, sc->cred);
 		VOP_UNLOCK(sc->vnode, 0, curthread);
 	} else {
+		if (sc->flags & MD_READONLY)
+			return ENOTSUPP;
 		(void)vn_start_write(sc->vnode, &mp, V_WAIT);
 		vn_lock(sc->vnode, LK_EXCLUSIVE | LK_RETRY, curthread);
 		error = VOP_WRITE(sc->vnode, &auio,
@@ -879,7 +881,7 @@
 	error = copyinstr(mdio->md_file, sc->file, sizeof(sc->file), NULL);
 	if (error != 0)
 		return (error);
-	flags = FREAD|FWRITE;
+	flags = sc->flags & MD_READONLY ? FREAD : (FREAD|FWRITE);
 	NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, sc->file, td);
 	error = vn_open(&nd, &flags, 0, -1);
 	if (error != 0) {
@@ -887,6 +889,7 @@
 		if (error != EACCES && error != EPERM && error != EROFS)
 			return (error);
 		flags &= ~FWRITE;
+		sc->flags |= MD_READONLY;
 		NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, sc->file, td);
 		error = vn_open(&nd, &flags, 0, -1);
 	}
--- md.c.diff ends here ---

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list