Page MenuHomeFreeBSD
Files F157000870

D24862.id71867.diff
No OneTemporary
Actions

D24862.id71867.diff
View Options

Index: lib/libc/sys/read.2
===================================================================
--- lib/libc/sys/read.2
+++ lib/libc/sys/read.2
@@ -28,7 +28,7 @@
.\" @(#)read.2 8.4 (Berkeley) 2/26/94
.\" $FreeBSD$
.\"
-.Dd May 15, 2020
+.Dd May 16, 2020
.Dt READ 2
.Os
.Sh NAME
@@ -200,10 +200,13 @@
and no data were ready to be read.
.It Bq Er EISDIR
The file descriptor is associated with a directory.
-Directories may only be read directly by root if the filesystem supports it and
-the
+Directories may only be read directly by the system root if the filesystem
+supports it and the
.Dv security.bsd.allow_read_dir
sysctl MIB is set to a non-zero value.
+Jailed root or even all users may be allowed as well with
+.Xr mac_read_dir 4 .
+.Pp
For most scenarios, the
.Xr readdir 3
function should be used instead.
Index: share/man/man4/Makefile
===================================================================
--- share/man/man4/Makefile
+++ share/man/man4/Makefile
@@ -271,6 +271,7 @@
mac_ntpd.4 \
mac_partition.4 \
mac_portacl.4 \
+ mac_read_dir.4 \
mac_seeotheruids.4 \
mac_stub.4 \
mac_test.4 \
Index: share/man/man4/mac_read_dir.4
===================================================================
--- /dev/null
+++ share/man/man4/mac_read_dir.4
@@ -0,0 +1,104 @@
+.\"
+.\" SPDX-License-Identifier: BSD-2-Clause-FreeBSD
+.\"
+.\" Copyright (c) 2020 Kyle Evans <kevans@FreeBSD.org>
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd May 16, 2020
+.Dt MAC_READ_DIR 4
+.Os
+.Sh NAME
+.Nm mac_read_dir
+.Nd policy allowing read(2) of a directory fd
+.Sh SYNOPSIS
+To compile the read_dir policy into your kernel, place the following lines
+in your kernel configuration file:
+.Bd -ragged -offset indent
+.Cd "options MAC"
+.Cd "options MAC_READ_DIR"
+.Ed
+.Pp
+Alternately, to load the read_dir policy module at boot time,
+place the following line in your kernel configuration file:
+.Bd -ragged -offset indent
+.Cd "options MAC"
+.Ed
+.Pp
+and in
+.Xr loader.conf 5 :
+.Bd -literal -offset indent
+mac_read_dir_load="YES"
+.Ed
+.Sh DESCRIPTION
+The
+.Nm
+policy may grant users other than the system root the ability to use
+.Xr read 2
+on a directory fd.
+Specifically, this policy may grant the
+.Dv PRIV_VFS_READ_DIR
+privilege based on the runtime configuration, assuming the
+.Va security.bsd.allow_read_dir
+sysctl MIB is set to a non-zero value.
+.Ss Runtime Configuration
+The following
+.Xr sysctl 8
+MIBs are available for fine-tuning this MAC policy.
+All
+.Xr sysctl 8
+variables can also be set as
+.Xr loader 8
+tunables in
+.Xr loader.conf 5 .
+.Bl -tag -width indent
+.It Va security.mac.read_dir.enabled
+Enable the
+.Nm
+policy.
+(Default: 1).
+.It Va security.mac.read_dir.all_users
+Grant
+.Dv PRIV_VFS_READ_DIR
+to all users on the system.
+This MIB includes the functionality of the later described
+.Va security.mac.read_dir.jail_root
+MIB.
+.It Va security.mac.read_dir.jail_root
+Grant
+.Dv PRIV_VFS_READ_DIR
+to root in a jail.
+.El
+.Sh SEE ALSO
+.Xr mac 4
+.Sh HISTORY
+.Nm
+first appeared in
+.Fx 13.0 .
+.Sh AUTHORS
+.An -nosplit
+The
+.Nm
+module was written by
+.An Kyle Evans Aq Mt kevans@FreeBSD.org .
Index: sys/conf/NOTES
===================================================================
--- sys/conf/NOTES
+++ sys/conf/NOTES
@@ -1224,6 +1224,7 @@
options MAC_NTPD
options MAC_PARTITION
options MAC_PORTACL
+options MAC_READ_DIR
options MAC_SEEOTHERUIDS
options MAC_STUB
options MAC_TEST
Index: sys/conf/files
===================================================================
--- sys/conf/files
+++ sys/conf/files
@@ -4909,6 +4909,7 @@
security/mac_ntpd/mac_ntpd.c optional mac_ntpd
security/mac_partition/mac_partition.c optional mac_partition
security/mac_portacl/mac_portacl.c optional mac_portacl
+security/mac_read_dir/mac_read_dir.c optional mac_read_dir
security/mac_seeotheruids/mac_seeotheruids.c optional mac_seeotheruids
security/mac_stub/mac_stub.c optional mac_stub
security/mac_test/mac_test.c optional mac_test
Index: sys/conf/options
===================================================================
--- sys/conf/options
+++ sys/conf/options
@@ -159,6 +159,7 @@
MAC_NTPD opt_dontuse.h
MAC_PARTITION opt_dontuse.h
MAC_PORTACL opt_dontuse.h
+MAC_READ_DIR opt_dontuse.h
MAC_SEEOTHERUIDS opt_dontuse.h
MAC_STATIC opt_mac.h
MAC_STUB opt_dontuse.h
Index: sys/kern/kern_jail.c
===================================================================
--- sys/kern/kern_jail.c
+++ sys/kern/kern_jail.c
@@ -3323,6 +3323,14 @@
else
return (EPERM);
+ /*
+ * Jails should hold no disposition on the PRIV_VFS_READ_DIR
+ * policy. priv_check_cred will not specifically allow it, and
+ * we may want a MAC policy to allow it.
+ */
+ case PRIV_VFS_READ_DIR:
+ return (0);
+
/*
* Conditionnaly allow locking (unlocking) physical pages
* in memory.
Index: sys/kern/kern_priv.c
===================================================================
--- sys/kern/kern_priv.c
+++ sys/kern/kern_priv.c
@@ -194,6 +194,13 @@
goto out;
}
break;
+ case PRIV_VFS_READ_DIR:
+ /*
+ * Allow PRIV_VFS_READ_DIR for root if we're not in a
+ * jail, otherwise deny unless a MAC policy grants it.
+ */
+ if (jailed(cred))
+ break;
default:
if (cred->cr_uid == 0) {
error = 0;
Index: sys/modules/Makefile
===================================================================
--- sys/modules/Makefile
+++ sys/modules/Makefile
@@ -218,6 +218,7 @@
mac_ntpd \
mac_partition \
mac_portacl \
+ mac_read_dir \
mac_seeotheruids \
mac_stub \
mac_test \
Index: sys/modules/mac_read_dir/Makefile
===================================================================
--- /dev/null
+++ sys/modules/mac_read_dir/Makefile
@@ -0,0 +1,8 @@
+# $FreeBSD$
+
+.PATH: ${SRCTOP}/sys/security/mac_read_dir
+
+KMOD= mac_read_dir
+SRCS= mac_read_dir.c
+
+.include <bsd.kmod.mk>
Index: sys/security/mac_read_dir/mac_read_dir.c
===================================================================
--- /dev/null
+++ sys/security/mac_read_dir/mac_read_dir.c
@@ -0,0 +1,78 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
+ *
+ * Copyright (c) 2020 Kyle Evans <kevans@FreeBSD.org>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/param.h>
+#include <sys/jail.h>
+#include <sys/kernel.h>
+#include <sys/module.h>
+#include <sys/priv.h>
+#include <sys/sysctl.h>
+#include <sys/ucred.h>
+
+#include <security/mac/mac_policy.h>
+
+SYSCTL_DECL(_security_mac);
+
+static SYSCTL_NODE(_security_mac, OID_AUTO, read_dir,
+ CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
+ "mac_read_dir policy controls");
+
+static int read_dir_enabled = 1;
+SYSCTL_INT(_security_mac_read_dir, OID_AUTO, enabled, CTLFLAG_RWTUN,
+ &read_dir_enabled, 0, "Enable mac_read_dir policy");
+
+static int read_dir_jail_root;
+SYSCTL_INT(_security_mac_read_dir, OID_AUTO, jail_root, CTLFLAG_RWTUN,
+ &read_dir_jail_root, 0, "Allow jailed root to read directories");
+
+static int read_dir_all_users;
+SYSCTL_INT(_security_mac_read_dir, OID_AUTO, all_users, CTLFLAG_RWTUN,
+ &read_dir_all_users, 0, "Allow all users to read directories");
+
+static int
+read_dir_priv_grant(struct ucred *cred, int priv)
+{
+
+ if (!read_dir_enabled || priv != PRIV_VFS_READ_DIR)
+ return (EPERM);
+
+ if (read_dir_all_users)
+ return (0);
+ if (read_dir_jail_root && jailed(cred) && cred->cr_uid == 0)
+ return (0);
+ return (EPERM);
+}
+
+static struct mac_policy_ops read_dir_ops =
+{
+ .mpo_priv_grant = read_dir_priv_grant,
+};
+
+MAC_POLICY_SET(&read_dir_ops, mac_read_dir, "MAC/read_dir",
+ MPC_LOADTIME_FLAG_UNLOADOK, NULL);

File Metadata

Mime Type
text/plain
Expires
Mon, May 18, 9:30 PM (12 h, 29 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
33270033
Default Alt Text
D24862.id71867.diff (9 KB)

Event Timeline