misc/83297: Possible issue with FreeBSD 5.4 jailing and BPF
Ron van Daal
bugreport at tux.linux666.com
Mon Jul 11 21:50:17 GMT 2005
>Synopsis: Possible issue with FreeBSD 5.4 jailing and BPF
>Arrival-Date: Mon Jul 11 21:50:16 GMT 2005
>Originator: Ron van Daal
>Release: FreeBSD 5.4-RELEASE
FreeBSD jail 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May 8 10:21:06 UTC
2005 root at harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
While playing around with FreeBSD 5.4 and jailing I discovered that it was possible to put an ethernet interface into promiscious mode from within the jailed environment, allowing a packetsniffer to gather data not meant for the jailed box. This also affects FreeBSD 5.3 (tested) but not FreeBSD 4.x This can be reproduced on boxes where BPF support is enabled in the kernel and a BPF device is available in the jail (badly configured devfs/no rules)
The problem lies within the FreeBSD 5.x BPF kernel code: "The Berkeley Packet Filter provides a raw interface to data link layers in a protocol independent fashion. The function bpfopen() opens an Ethernet device. There is a conditional which disallows any jailed processes from accessing this function."
This conditional was present in the 4.x series kernels but is missing in 5.x and thus allowing free access to bpfopen() from within a jailed environment. I think this is related to the changed jailing code between these kernels. I don't believe this has been left out on purpose in favor of devfs rulesets (...) If not, I'd like to have some comments on this.
Conclusion: Usage of devfs rulesets is highly recommended as stated in the manpages. Though a misconfiguration at this point would expose a big security issue. The question is: should bpfopen() in bpf.c check for a jailed proc or not?
Use a FreeBSD 5.4 or 5.3 kernel which has BPF support compiled in, e.g. stock FreeBSD 5-4-RELEASE. Create a jailing environment, mount the devfs filesystem (without rules) and start the jail. Check if there's a BPF device. It's now possible to put your ethernet card in promiscious mode using e.g. tcpdump.
I believe there must be a condition in bpfopen() (file /usr/src/sys/net/bpf.h) which checks for a jailed process. E.g. like the code in 4.x kernel BPF code: if (p->p_prison) return (EPERM);
More information about the freebsd-bugs