Weird behavior with /dev/mem

Robert Watson rwatson at freebsd.org
Fri Oct 31 11:50:56 PST 2003 

On Fri, 31 Oct 2003, Daniel C. Sobral wrote:

> Doug White wrote:
> > On Fri, 31 Oct 2003, Daniel C. Sobral wrote:
> > 
> > 
> >>Weird thing. I updated my system today (October 31), and now I can't
> >>list routes from syscons. But I still can list routes from Konsole, on
> >>X. Following a suggestion by Genesys, I checked permissions of /dev/mem
> >>and netstat and... for some reason, I can't stat /dev/mem under syscons!
> > 
> > 
> > You didn't mount that filesystem nosuid, did you?
> 
> No. And, as a matter of fact, the error is user-agnostic. In fact, in
> the example below the problem happen with the root user, while user dcs
> is home free. 
> 
> MMmmmm... I know what it is. It's something with mac, because X is run
> with /usr/sbin/setpmac mls/equal. (tests) Yep, that's it. 
> 
> Ok, rwatson, it's all your fault. Sneaky, sneaky. 

Hey, imagine that, a security check preventing something insecure :-).
With MLS enabled, /dev/kmem and /dev/mem are labeled as mls/high since
they potentially hold state associated with processes and objects with
high labels.  As a result, users without the necessary clearance to via
mls/high data can't use tools that grub around in kernel memory.  Tools
that use sysctl, on the other hand, are generally no problem.  The usual
fixes are:

(1) Teach netstat not to use kmem, instead use a more controlled export
    method.

(2) Make netstat exempt from the policy (i.e., run with setpmac mls/equal
    netstat, or we could introduce a transition mechanism for MLS).

(3) Only run netstat from contexts that are either allowed to access
    kernel memory (generally, mls/high), or are exempt (mls/equal).

Are you using kdm/xdm to log in, or using startx?  It's fairly likely
xdm/kdm aren't setting your label on login, and so you're getting the
label from the context they were run from.  Whereas when you log in using
login(1) login, your label is set properly.  getpmac should reveal whether
this is the case.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Network Associates Laboratories

> 
> > 
> > 
> >>Here are a couple of typescripts I got:
> >>
> >>[0] dcs at dcs:/opt/home/dcs$ cat from_konsole
> >>Script started on Fri Oct 31 17:25:04 2003
> >>dcs at dcs:/opt/home/dcs$ ls -ld /dev
> >>dr-xr-xr-x  4 root  wheel  512 Oct 31 13:56 /dev
> >>dcs at dcs:/opt/home/dcs$ ls -l /dev/mem
> >>crw-r-----  1 root  kmem    2,   0 Oct 31 15:54 /dev/mem
> >>dcs at dcs:/opt/home/dcs$ ls -l /usr/bin/netstat
> >>-r-xr-sr-x  1 root  kmem  108664 Oct 31 13:18 /usr/bin/netstat
> >>dcs at dcs:/opt/home/dcs$ netstat -nr
> >>Routing tables
> >>
> >>Internet:
> >>Destination        Gateway            Flags    Refs      Use  Netif Expire
> >>default            10.0.11.1          UGSc        0        0   fxp0
> >>10/16              link#1             UC          0        0   fxp0
> >>10.0.2.72          00:04:23:2a:13:7b  UHLW        0        1   fxp0    881
> >>10.0.11.1          00:10:54:cd:58:40  UHLW       28        0   fxp0   1197
> >>10.0.12.131        00:01:30:26:e0:00  UHLW        0        0   fxp0   1186
> >>10.0.14.20         00:02:55:58:22:0a  UHLW        6    39928   fxp0    975
> >>127.0.0.1          127.0.0.1          UH          0        6    lo0
> >>dcs at dcs:/opt/home/dcs$ exit
> >>exit
> >>
> >>Script done on Fri Oct 31 17:25:20 2003
> >>[0] dcs at dcs:/opt/home/dcs$ cat from_syscons
> >>Script started on Fri Oct 31 17:26:01 2003
> >>root at dcs:/root$ ls -ld /dev
> >>dr-xr-xr-x  4 root  wheel  512 Oct 31 13:56 /dev
> >>root at dcs:/root$ ls -l /dev/mem
> >>ls: /dev/mem: Permission denied
> >>root at dcs:/root$ ls -l /usr/bin/netstat
> >>-r-xr-sr-x  1 root  kmem  108664 Oct 31 13:18 /usr/bin/netstat
> >>root at dcs:/root$ netstat -nr
> >>netstat: kvm not available
> >>Routing tables
> >>rt_tables: symbol not in namelist
> >>root at dcs:/root$ exit
> >>exit
> >>
> >>Script done on Fri Oct 31 17:26:18 2003
> >>[0] dcs at dcs:/opt/home/dcs$ which ls
> >>/bin/ls
> >>[0] dcs at dcs:/opt/home/dcs$ type ls
> >>ls is aliased to `ls -G'
> >>[0] dcs at dcs:/opt/home/dcs$ unalias ls
> >>[0] dcs at dcs:/opt/home/dcs$ ls -l /dev/mem
> >>crw-r-----  1 root  kmem    2,   0 Oct 31 15:54 /dev/mem
> >>
> >>I'm CCing phk on the grounds of Mr Devfs, and Sam as I blamed the
> >>networking code earlier... :-)
> >>
> >>
> > 
> > 
> 
> 
> -- 
> Daniel C. Sobral                   (8-DCS)
> Gerencia de Operacoes
> Divisao de Comunicacao de Dados
> Coordenacao de Seguranca
> VIVO Centro Oeste Norte
> Fones: 55-61-313-7654/Cel: 55-61-9618-0904
> E-mail: Daniel.Capo at tco.net.br
>          Daniel.Sobral at tcoip.com.br
>          dcs at tcoip.com.br
> 
> Outros:
> 	dcs at newsguy.com
> 	dcs at freebsd.org
> 	capo at notorious.bsdconspiracy.net
> 
> Ten years of rejection slips is nature's
> way of telling you to stop writing.
> 		-- R. Geis
> 
>

More information about the freebsd-current mailing list