Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 1 Aug 2003 23:02:02 +0400 (MSD)
From:      Dmitry Morozovsky <marck@rinet.ru>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   kern/55163: [patch] hide kld system details from jails
Message-ID:  <200308011902.h71J22ha087369@woozle.rinet.ru>
Resent-Message-ID: <200308011910.h71JAJ81074108@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         55163
>Category:       kern
>Synopsis:       [patch] hide kld system details from jails
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 01 12:10:18 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Dmitry Morozovsky
>Release:        FreeBSD 4-STABLE i386
>Organization:
Cronyx Plus LLC (RiNet ISP)
>Environment:
System: FreeBSD 4-STABLE 


>Description:

It would be useful if we could hide kernel modules structure from jailed
processes.

The following patch (against -STABLE; AFAICS under -CURRENT similar
functionality is achieved vim MAC) adds sysctl jail.kldread_allowed (defaults
to 1 to preserve POLA) which, when cleared, disables read-only kld sysctls for
jailed processes.

>How-To-Repeat:

[before the patch]:
#jail /path/to/jail/root jail.host.name 10.0.0.1 /bin/sh
#kldstat
Id Refs Address    Size     Name
 1    8 0xc0100000 172230   kernel
 ...
#

[after the patch]:
#sysctl jail.kldread_allowed=0
jail.kldread_allowed: 1 -> 0
#jail /path/to/jail/root jail.host.name 10.0.0.1 /bin/sh
#kldstat
Id Refs Address    Size     Name
#



>Fix:


Index: sys/sys/jail.h
===================================================================
RCS file: /home/ncvs/src/sys/sys/jail.h,v
retrieving revision 1.8.2.2
diff -u -r1.8.2.2 jail.h
--- sys/sys/jail.h	1 Nov 2000 17:58:06 -0000	1.8.2.2
+++ sys/sys/jail.h	1 Aug 2003 18:50:06 -0000
@@ -49,6 +49,7 @@
 extern int	jail_set_hostname_allowed;
 extern int	jail_socket_unixiproute_only;
 extern int	jail_sysvipc_allowed;
+extern int	jail_kldread_allowed;
 
 #endif /* !_KERNEL */
 #endif /* !_SYS_JAIL_H_ */
Index: sys/kern/kern_jail.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_jail.c,v
retrieving revision 1.6.2.3
diff -u -r1.6.2.3 kern_jail.c
--- sys/kern/kern_jail.c	17 Aug 2001 01:00:26 -0000	1.6.2.3
+++ sys/kern/kern_jail.c	1 Aug 2003 18:50:06 -0000
@@ -44,6 +44,11 @@
     &jail_sysvipc_allowed, 0,
     "Processes in jail can use System V IPC primitives");
 
+int	jail_kldread_allowed = 1;
+SYSCTL_INT(_jail, OID_AUTO, kldread_allowed, CTLFLAG_RW,
+    &jail_kldread_allowed, 0,
+    "Processes in jail can query kld system");
+
 int
 jail(p, uap)
         struct proc *p;
Index: sys/kern/kern_linker.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_linker.c,v
retrieving revision 1.41.2.3
diff -u -r1.41.2.3 kern_linker.c
--- sys/kern/kern_linker.c	21 Nov 2001 17:50:35 -0000	1.41.2.3
+++ sys/kern/kern_linker.c	1 Aug 2003 18:50:06 -0000
@@ -43,6 +43,7 @@
 #include <sys/namei.h>
 #include <sys/vnode.h>
 #include <sys/sysctl.h>
+#include <sys/jail.h>
 
 #include <vm/vm_zone.h>
 
@@ -727,6 +728,9 @@
     linker_file_t lf;
     int error = 0;
 
+    if (!jail_kldread_allowed && p && p->p_prison)
+	    return EPERM;
+
     p->p_retval[0] = -1;
 
     filename = malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
@@ -755,6 +759,9 @@
     linker_file_t lf;
     int error = 0;
 
+    if (!jail_kldread_allowed && p && p->p_prison)
+	    return EPERM;
+
     if (SCARG(uap, fileid) == 0) {
 	if (TAILQ_FIRST(&linker_files))
 	    p->p_retval[0] = TAILQ_FIRST(&linker_files)->id;
@@ -784,6 +791,9 @@
     struct kld_file_stat* stat;
     int namelen;
 
+    if (!jail_kldread_allowed && p && p->p_prison)
+	    return EPERM;
+
     lf = linker_find_file_by_id(SCARG(uap, fileid));
     if (!lf) {
 	error = ENOENT;
@@ -828,6 +838,9 @@
     linker_file_t lf;
     int error = 0;
 
+    if (!jail_kldread_allowed && p && p->p_prison)
+	    return EPERM;
+
     lf = linker_find_file_by_id(SCARG(uap, fileid));
     if (lf) {
 	if (TAILQ_FIRST(&lf->modules))
@@ -849,6 +862,9 @@
     linker_file_t lf;
     struct kld_sym_lookup lookup;
     int error = 0;
+
+    if (!jail_kldread_allowed && p && p->p_prison)
+	    return EPERM;
 
     if ((error = copyin(SCARG(uap, data), &lookup, sizeof(lookup))) != 0)
 	goto out;
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308011902.h71J22ha087369>