Weird behavior with /dev/mem
Robert Watson
rwatson at freebsd.org
Fri Oct 31 11:50:56 PST 2003
On Fri, 31 Oct 2003, Daniel C. Sobral wrote:
> Doug White wrote:
> > On Fri, 31 Oct 2003, Daniel C. Sobral wrote:
> >
> >
> >>Weird thing. I updated my system today (October 31), and now I can't
> >>list routes from syscons. But I still can list routes from Konsole, on
> >>X. Following a suggestion by Genesys, I checked permissions of /dev/mem
> >>and netstat and... for some reason, I can't stat /dev/mem under syscons!
> >
> >
> > You didn't mount that filesystem nosuid, did you?
>
> No. And, as a matter of fact, the error is user-agnostic. In fact, in
> the example below the problem happen with the root user, while user dcs
> is home free.
>
> MMmmmm... I know what it is. It's something with mac, because X is run
> with /usr/sbin/setpmac mls/equal. (tests) Yep, that's it.
>
> Ok, rwatson, it's all your fault. Sneaky, sneaky.
Hey, imagine that, a security check preventing something insecure :-).
With MLS enabled, /dev/kmem and /dev/mem are labeled as mls/high since
they potentially hold state associated with processes and objects with
high labels. As a result, users without the necessary clearance to via
mls/high data can't use tools that grub around in kernel memory. Tools
that use sysctl, on the other hand, are generally no problem. The usual
fixes are:
(1) Teach netstat not to use kmem, instead use a more controlled export
method.
(2) Make netstat exempt from the policy (i.e., run with setpmac mls/equal
netstat, or we could introduce a transition mechanism for MLS).
(3) Only run netstat from contexts that are either allowed to access
kernel memory (generally, mls/high), or are exempt (mls/equal).
Are you using kdm/xdm to log in, or using startx? It's fairly likely
xdm/kdm aren't setting your label on login, and so you're getting the
label from the context they were run from. Whereas when you log in using
login(1) login, your label is set properly. getpmac should reveal whether
this is the case.
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org Network Associates Laboratories
>
> >
> >
> >>Here are a couple of typescripts I got:
> >>
> >>[0] dcs at dcs:/opt/home/dcs$ cat from_konsole
> >>Script started on Fri Oct 31 17:25:04 2003
> >>dcs at dcs:/opt/home/dcs$ ls -ld /dev
> >>dr-xr-xr-x 4 root wheel 512 Oct 31 13:56 /dev
> >>dcs at dcs:/opt/home/dcs$ ls -l /dev/mem
> >>crw-r----- 1 root kmem 2, 0 Oct 31 15:54 /dev/mem
> >>dcs at dcs:/opt/home/dcs$ ls -l /usr/bin/netstat
> >>-r-xr-sr-x 1 root kmem 108664 Oct 31 13:18 /usr/bin/netstat
> >>dcs at dcs:/opt/home/dcs$ netstat -nr
> >>Routing tables
> >>
> >>Internet:
> >>Destination Gateway Flags Refs Use Netif Expire
> >>default 10.0.11.1 UGSc 0 0 fxp0
> >>10/16 link#1 UC 0 0 fxp0
> >>10.0.2.72 00:04:23:2a:13:7b UHLW 0 1 fxp0 881
> >>10.0.11.1 00:10:54:cd:58:40 UHLW 28 0 fxp0 1197
> >>10.0.12.131 00:01:30:26:e0:00 UHLW 0 0 fxp0 1186
> >>10.0.14.20 00:02:55:58:22:0a UHLW 6 39928 fxp0 975
> >>127.0.0.1 127.0.0.1 UH 0 6 lo0
> >>dcs at dcs:/opt/home/dcs$ exit
> >>exit
> >>
> >>Script done on Fri Oct 31 17:25:20 2003
> >>[0] dcs at dcs:/opt/home/dcs$ cat from_syscons
> >>Script started on Fri Oct 31 17:26:01 2003
> >>root at dcs:/root$ ls -ld /dev
> >>dr-xr-xr-x 4 root wheel 512 Oct 31 13:56 /dev
> >>root at dcs:/root$ ls -l /dev/mem
> >>ls: /dev/mem: Permission denied
> >>root at dcs:/root$ ls -l /usr/bin/netstat
> >>-r-xr-sr-x 1 root kmem 108664 Oct 31 13:18 /usr/bin/netstat
> >>root at dcs:/root$ netstat -nr
> >>netstat: kvm not available
> >>Routing tables
> >>rt_tables: symbol not in namelist
> >>root at dcs:/root$ exit
> >>exit
> >>
> >>Script done on Fri Oct 31 17:26:18 2003
> >>[0] dcs at dcs:/opt/home/dcs$ which ls
> >>/bin/ls
> >>[0] dcs at dcs:/opt/home/dcs$ type ls
> >>ls is aliased to `ls -G'
> >>[0] dcs at dcs:/opt/home/dcs$ unalias ls
> >>[0] dcs at dcs:/opt/home/dcs$ ls -l /dev/mem
> >>crw-r----- 1 root kmem 2, 0 Oct 31 15:54 /dev/mem
> >>
> >>I'm CCing phk on the grounds of Mr Devfs, and Sam as I blamed the
> >>networking code earlier... :-)
> >>
> >>
> >
> >
>
>
> --
> Daniel C. Sobral (8-DCS)
> Gerencia de Operacoes
> Divisao de Comunicacao de Dados
> Coordenacao de Seguranca
> VIVO Centro Oeste Norte
> Fones: 55-61-313-7654/Cel: 55-61-9618-0904
> E-mail: Daniel.Capo at tco.net.br
> Daniel.Sobral at tcoip.com.br
> dcs at tcoip.com.br
>
> Outros:
> dcs at newsguy.com
> dcs at freebsd.org
> capo at notorious.bsdconspiracy.net
>
> Ten years of rejection slips is nature's
> way of telling you to stop writing.
> -- R. Geis
>
>
More information about the freebsd-current
mailing list