Provide a MAC policy for granting PRIV_VFS_READ_DIR
AbandonedPublic
Actions

Authored by kevans on May 16 2020, 5:48 PM.

Details

Reviewers

debdrup

Group Reviewers

manpages

Summary

This allows system root to unwind read(2) of dirfd restrictions with the security.bsd.allow_read_dir sysctl set in one of two ways:

1.) Allow jail root to read(2) a dir fd
2.) Allow all users to read(2) a dir fd

Jail root and in-fact all jail users are included in the all users toggle, which can be used to generally return the system to historical behavior or slightly more secure behavior with at most one module load and two sysctls (security.bsd.allow_read_dir=1 and either security.mac.read_dir.all_users=1 or security.mac.read_dir.jail_root=1).

The mac_read_dir module may be built into the kernel with options MAC_READ_DIR in your kernel configuration or loaded via loader with mac_read_dir_load="YES" in loader.conf(5).

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 31120

Event Timeline

kevans created this revision.May 16 2020, 5:48 PM

Herald added a reviewer: manpages. · View Herald TranscriptMay 16 2020, 5:48 PM

Herald added a subscriber: imp. · View Herald Transcript

kevans requested review of this revision.May 16 2020, 5:48 PM

Harbormaster completed remote builds in B31113: Diff 71861.May 16 2020, 5:48 PM

kevans added a parent revision: D24596: vfs: add restrictions to read(2) of a directory.May 16 2020, 5:49 PM

modules/Makefile

Harbormaster completed remote builds in B31114: Diff 71862.May 16 2020, 5:51 PM

kevans added a reviewer: debdrup.May 16 2020, 5:53 PM

gbe added a subscriber: gbe.May 16 2020, 5:53 PM

yuripv added a subscriber: yuripv.May 16 2020, 6:55 PM

yuripv added inline comments.

share/man/man4/mac_read_dir.4
35	Typo: directory. Also quoting isn't really needed.
97	MAC history is documented in its man pages, not really needed here?
102	AUTHORS?

Just minor nits. Otherwise the manpage part seems solid.

share/man/man4/mac_read_dir.4
35	Typo
37	`read_dir` should probably be stylized, right? I've quickly checked other manual pages like `mac_none` and it just uses .Nm, e.g.: To compile the .Nm policy
95	mac(4) should probably reference this new manual page as well.

Incorporate review feedback.

Harbormaster completed remote builds in B31119: Diff 71867.May 16 2020, 7:09 PM

Minor nits only.

lib/libc/sys/read.2
207	Is it "or" or "and/or"? It's not clear from the man-page if one supersedes the other, but I would naively assume so.
share/man/man4/mac_read_dir.4
30	Prematurely reminding you to bump .Dd because otherwise bcr will do it?
69	Are they MIBs or OIDs? sysctl(3) mentions MIB but sysctl(9) mentions OID.