[PATCH] Dangerous jail()<->ioctl interactions.

From: Wojciech A. Koszek (dunstan_at_freebsd.czest.pl)
Date: 02/21/05

  • Next message: Dmitry Agaphonov: "Kernel threads & libc" 
    Date: Mon, 21 Feb 2005 22:16:56 +0000
To: freebsd-hackers@FreeBSD.org

    Hello hackers,
    I would like to let you know I've been doing [partial] audit of ioctl()
    code. There are some places, which may interest you. These are:

    sys/cam/cam_xpt.c
    sys/contrib/ipfilter/netinet/ip_fil.c
    sys/contrib/pf/net/pf_ioctl.c
    sys/dev/ata/ata-all.c
    sys/dev/md/md.c
    sys/geom/geom_ctl.c

    Those files contain ioctl()s, which let us to interact between jailed processes
    and each of these subsystems. Although files like /dev/mdctl should not
    appear in /dev with normal DEVFS rulesets, I think it would be better if FreeBSD had
    those ioctl() disabled within jail()ed environment. There is probably one
    reason for keeping ipf/pf, since someone may want fetch information about NATed
    connections.

    How to repeat? Reproducing is very simple. Test environment:
       
      # jail / hostname 127.0.0.1 /bin/csh
     
    After this step you can monipulate ATA devices:

      # atacontrol detach <number>
     
    Create/remove md(4) devices:

      # mdconfig -a -t malloc -s 100M
      # mdconfig -d -u md0

    Manipulate cam(4) devices:
     
      # camcontrol reset cd0
      # camcontrol eject cd0

    Manipulate gbde devices:

      # mdconfig -a -t malloc -s 10M
      # gbde

    Manipulate ipnat/ipf/pf rules:
      # ipnat -f /etc/ipnat.conf
      # ipnat -CF a
      # pfctl -f /etc/pf.some.rules
      # ipf -f /etc/ipf.some.rules

    Patches with simple suser() tests added are available at:
    (sys/cam/cam_xpt.c):
    http://FreeBSD.czest.pl/dunstan/FreeBSD/diff.1.jail

    (sys/contrib/ipfilter/netinet/ip_fil.c):
    http://FreeBSD.czest.pl/dunstan/FreeBSD/diff.2.jail

    (/usr/src/sys/contrib/pf/net/pf_ioctl.c):
    http://FreeBSD.czest.pl/dunstan/FreeBSD/diff.3.jail

    (/usr/src/sys/dev/ata/ata-all.c):
    http://FreeBSD.czest.pl/dunstan/FreeBSD/diff.4.jail
    (If someone would like to commit it, I can also write style patch).

    (/usr/src/sys/dev/md/md.c):
    http://FreeBSD.czest.pl/dunstan/FreeBSD/diff.5.jail

    (/usr/src/sys/geom/geom_ctl.c):
    http://FreeBSD.czest.pl/dunstan/FreeBSD/diff.6.jail

    And comments are welcome. If you find some of these patches useful, please
    let me know.
    Regards, 

    -- 
* Wojciech A. Koszek && dunstan@FreeBSD.czest.pl
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
  • Next message: Dmitry Agaphonov: "Kernel threads & libc"