Page MenuHomeFreeBSD

Provide a MAC policy for granting PRIV_VFS_READ_DIR
AbandonedPublic

Authored by kevans on May 16 2020, 5:48 PM.
Tags
None
Referenced Files
Unknown Object (File)
Feb 24 2024, 2:22 AM
Unknown Object (File)
Dec 22 2023, 11:42 PM
Unknown Object (File)
Dec 11 2023, 1:17 AM
Unknown Object (File)
Nov 18 2023, 7:27 PM
Unknown Object (File)
Nov 8 2023, 5:35 PM
Unknown Object (File)
Nov 7 2023, 5:35 PM
Unknown Object (File)
Oct 7 2023, 4:16 PM
Unknown Object (File)
Oct 6 2023, 4:30 PM

Details

Reviewers
debdrup
Group Reviewers
manpages
Summary

This allows system root to unwind read(2) of dirfd restrictions with the security.bsd.allow_read_dir sysctl set in one of two ways:

1.) Allow jail root to read(2) a dir fd
2.) Allow all users to read(2) a dir fd

Jail root and in-fact all jail users are included in the all users toggle, which can be used to generally return the system to historical behavior or slightly more secure behavior with at most one module load and two sysctls (security.bsd.allow_read_dir=1 and either security.mac.read_dir.all_users=1 or security.mac.read_dir.jail_root=1).

The mac_read_dir module may be built into the kernel with options MAC_READ_DIR in your kernel configuration or loaded via loader with mac_read_dir_load="YES" in loader.conf(5).

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 31120

Event Timeline

yuripv added inline comments.
share/man/man4/mac_read_dir.4
35

Typo: directory. Also quoting isn't really needed.

97

MAC history is documented in its man pages, not really needed here?

102

AUTHORS?

Just minor nits. Otherwise the manpage part seems solid.

share/man/man4/mac_read_dir.4
35

Typo

37

read_dir should probably be stylized, right?

I've quickly checked other manual pages like mac_none and it just uses .Nm, e.g.:

To compile the
.Nm
policy
95

mac(4) should probably reference this new manual page as well.

kevans marked 3 inline comments as done.

Incorporate review feedback.

Minor nits only.

lib/libc/sys/read.2
207

Is it "or" or "and/or"?
It's not clear from the man-page if one supersedes the other, but I would naively assume so.

share/man/man4/mac_read_dir.4
30

Prematurely reminding you to bump .Dd because otherwise bcr will do it?

69

Are they MIBs or OIDs?

sysctl(3) mentions MIB but sysctl(9) mentions OID.

kevans marked 5 inline comments as done.

Address review race condition, address @0mp's feedback from before my last update and @debdrup's follow-up.

bcr added a subscriber: bcr.

OK from manpages.

kevans added inline comments.
share/man/man4/mac_read_dir.4
69

Kernel internals deal with OIDs (real identifiers), userland usually deal in terms of MIBs (names)