From marck@woozle.rinet.ru  Fri Aug  1 12:02:05 2003
Return-Path: <marck@woozle.rinet.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5D46F37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  1 Aug 2003 12:02:05 -0700 (PDT)
Received: from woozle.rinet.ru (woozle.rinet.ru [195.54.192.68])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 79D7543FCB
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  1 Aug 2003 12:02:04 -0700 (PDT)
	(envelope-from marck@woozle.rinet.ru)
Received: from woozle.rinet.ru (localhost [127.0.0.1])
	by woozle.rinet.ru (8.12.9/8.12.9) with ESMTP id h71J224C087370
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 1 Aug 2003 23:02:02 +0400 (MSD)
	(envelope-from marck@woozle.rinet.ru)
Received: (from marck@localhost)
	by woozle.rinet.ru (8.12.9/8.12.9/Submit) id h71J22ha087369;
	Fri, 1 Aug 2003 23:02:02 +0400 (MSD)
Message-Id: <200308011902.h71J22ha087369@woozle.rinet.ru>
Date: Fri, 1 Aug 2003 23:02:02 +0400 (MSD)
From: Dmitry Morozovsky <marck@rinet.ru>
Reply-To: Dmitry Morozovsky <marck@rinet.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [patch] hide kld system details from jails
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         55163
>Category:       kern
>Synopsis:       [jail] [patch] hide kld system details from jails
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    linimon
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 01 12:10:18 PDT 2003
>Closed-Date:    Tue Jun 19 07:18:21 GMT 2007
>Last-Modified:  Tue Jun 19 07:20:01 GMT 2007
>Originator:     Dmitry Morozovsky
>Release:        FreeBSD 4-STABLE i386
>Organization:
Cronyx Plus LLC (RiNet ISP)
>Environment:
System: FreeBSD 4-STABLE 


>Description:

It would be useful if we could hide kernel modules structure from jailed
processes.

The following patch (against -STABLE; AFAICS under -CURRENT similar
functionality is achieved vim MAC) adds sysctl jail.kldread_allowed (defaults
to 1 to preserve POLA) which, when cleared, disables read-only kld sysctls for
jailed processes.

>How-To-Repeat:

[before the patch]:
#jail /path/to/jail/root jail.host.name 10.0.0.1 /bin/sh
#kldstat
Id Refs Address    Size     Name
 1    8 0xc0100000 172230   kernel
 ...
#

[after the patch]:
#sysctl jail.kldread_allowed=0
jail.kldread_allowed: 1 -> 0
#jail /path/to/jail/root jail.host.name 10.0.0.1 /bin/sh
#kldstat
Id Refs Address    Size     Name
#



>Fix:


Index: sys/sys/jail.h
===================================================================
RCS file: /home/ncvs/src/sys/sys/jail.h,v
retrieving revision 1.8.2.2
diff -u -r1.8.2.2 jail.h
--- sys/sys/jail.h	1 Nov 2000 17:58:06 -0000	1.8.2.2
+++ sys/sys/jail.h	1 Aug 2003 18:50:06 -0000
@@ -49,6 +49,7 @@
 extern int	jail_set_hostname_allowed;
 extern int	jail_socket_unixiproute_only;
 extern int	jail_sysvipc_allowed;
+extern int	jail_kldread_allowed;
 
 #endif /* !_KERNEL */
 #endif /* !_SYS_JAIL_H_ */
Index: sys/kern/kern_jail.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_jail.c,v
retrieving revision 1.6.2.3
diff -u -r1.6.2.3 kern_jail.c
--- sys/kern/kern_jail.c	17 Aug 2001 01:00:26 -0000	1.6.2.3
+++ sys/kern/kern_jail.c	1 Aug 2003 18:50:06 -0000
@@ -44,6 +44,11 @@
     &jail_sysvipc_allowed, 0,
     "Processes in jail can use System V IPC primitives");
 
+int	jail_kldread_allowed = 1;
+SYSCTL_INT(_jail, OID_AUTO, kldread_allowed, CTLFLAG_RW,
+    &jail_kldread_allowed, 0,
+    "Processes in jail can query kld system");
+
 int
 jail(p, uap)
         struct proc *p;
Index: sys/kern/kern_linker.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_linker.c,v
retrieving revision 1.41.2.3
diff -u -r1.41.2.3 kern_linker.c
--- sys/kern/kern_linker.c	21 Nov 2001 17:50:35 -0000	1.41.2.3
+++ sys/kern/kern_linker.c	1 Aug 2003 18:50:06 -0000
@@ -43,6 +43,7 @@
 #include <sys/namei.h>
 #include <sys/vnode.h>
 #include <sys/sysctl.h>
+#include <sys/jail.h>
 
 #include <vm/vm_zone.h>
 
@@ -727,6 +728,9 @@
     linker_file_t lf;
     int error = 0;
 
+    if (!jail_kldread_allowed && p && p->p_prison)
+	    return EPERM;
+
     p->p_retval[0] = -1;
 
     filename = malloc(MAXPATHLEN, M_TEMP, M_WAITOK);
@@ -755,6 +759,9 @@
     linker_file_t lf;
     int error = 0;
 
+    if (!jail_kldread_allowed && p && p->p_prison)
+	    return EPERM;
+
     if (SCARG(uap, fileid) == 0) {
 	if (TAILQ_FIRST(&linker_files))
 	    p->p_retval[0] = TAILQ_FIRST(&linker_files)->id;
@@ -784,6 +791,9 @@
     struct kld_file_stat* stat;
     int namelen;
 
+    if (!jail_kldread_allowed && p && p->p_prison)
+	    return EPERM;
+
     lf = linker_find_file_by_id(SCARG(uap, fileid));
     if (!lf) {
 	error = ENOENT;
@@ -828,6 +838,9 @@
     linker_file_t lf;
     int error = 0;
 
+    if (!jail_kldread_allowed && p && p->p_prison)
+	    return EPERM;
+
     lf = linker_find_file_by_id(SCARG(uap, fileid));
     if (lf) {
 	if (TAILQ_FIRST(&lf->modules))
@@ -849,6 +862,9 @@
     linker_file_t lf;
     struct kld_sym_lookup lookup;
     int error = 0;
+
+    if (!jail_kldread_allowed && p && p->p_prison)
+	    return EPERM;
 
     if ((error = copyin(SCARG(uap, data), &lookup, sizeof(lookup))) != 0)
 	goto out;
>Release-Note:
>Audit-Trail:

From: Yar Tikhiy <yar@FreeBSD.org>
To: Dmitry Morozovsky <marck@rinet.ru>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: kern/55163: [patch] hide kld system details from jails
Date: Mon, 4 Aug 2003 12:19:08 +0400

 Could you please provide a short rationale
 for the feature you're proposing?
 
 -- 
 Yar

From: Dmitry Morozovsky <marck@rinet.ru>
To: Yar Tikhiy <yar@FreeBSD.org>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: kern/55163: [patch] hide kld system details from jails
Date: Mon, 4 Aug 2003 12:26:23 +0400 (MSD)

 On Mon, 4 Aug 2003, Yar Tikhiy wrote:
 
 YT> Could you please provide a short rationale
 YT> for the feature you're proposing?
 
 Well, security thru obscurity is not the best technique ;-)
 However, it seems that reveal too much info about host system for jail user,
 or even for jail admin, is not always the best. We plan to use it together with
 Pawel Jakub Dawidek's jailfsstat kernel module.
 
 This code path is rare, so no performance problem I think. Any objections?
 
 
 Sincerely,
 D.Marck                                     [DM5020, MCK-RIPE, DM3-RIPN]
 ------------------------------------------------------------------------
 *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru ***
 ------------------------------------------------------------------------

From: Yar Tikhiy <yar@FreeBSD.org>
To: Dmitry Morozovsky <marck@rinet.ru>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: kern/55163: [patch] hide kld system details from jails
Date: Tue, 5 Aug 2003 17:44:32 +0400

 On Mon, Aug 04, 2003 at 12:26:23PM +0400, Dmitry Morozovsky wrote:
 > 
 > Well, security thru obscurity is not the best technique ;-)
 > However, it seems that reveal too much info about host system for jail user,
 > or even for jail admin, is not always the best. We plan to use it together with
 > Pawel Jakub Dawidek's jailfsstat kernel module.
 > 
 > This code path is rare, so no performance problem I think. Any objections?
 
 The only objection I can see is that a generalized framework for
 restricting system interfaces within a jail should be developed
 instead of sticking in "if (foo_allowed)" everywhere.
 
 -- 
 Yar

From: Dmitry Morozovsky <marck@rinet.ru>
To: Yar Tikhiy <yar@FreeBSD.org>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: kern/55163: [patch] hide kld system details from jails
Date: Tue, 5 Aug 2003 18:22:53 +0400 (MSD)

 On Tue, 5 Aug 2003, Yar Tikhiy wrote:
 
 YT> > Well, security thru obscurity is not the best technique ;-)
 YT> > However, it seems that reveal too much info about host system for jail user,
 YT> > or even for jail admin, is not always the best. We plan to use it together with
 YT> > Pawel Jakub Dawidek's jailfsstat kernel module.
 YT> >
 YT> > This code path is rare, so no performance problem I think. Any objections?
 YT>
 YT> The only objection I can see is that a generalized framework for
 YT> restricting system interfaces within a jail should be developed
 YT> instead of sticking in "if (foo_allowed)" everywhere.
 
 In general I do agree; however, as far as I can see, in 5.x this functionality
 *is* being developed in general way via MAC, which has no chances to be
 back-ported;  secondly, due to limited lifetime frame of 4.x branch, the
 process of general development would not be successful => I suppose band-aid
 with if(xxx_allowed) would be appropriate to achieve desired functionality.
 
 Well, as there are objections, I suppose the discussion should be moved to
 -stable@ ?
 
 Sincerely,
 D.Marck                                     [DM5020, MCK-RIPE, DM3-RIPN]
 ------------------------------------------------------------------------
 *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru ***
 ------------------------------------------------------------------------

From: Yar Tikhiy <yar@FreeBSD.org>
To: Dmitry Morozovsky <marck@rinet.ru>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: kern/55163: [patch] hide kld system details from jails
Date: Tue, 5 Aug 2003 18:54:05 +0400

 On Tue, Aug 05, 2003 at 06:22:53PM +0400, Dmitry Morozovsky wrote:
 > 
 > Well, as there are objections, I suppose the discussion should be moved to
 > -stable@ ?
 
 Personally, I'd like to see any new feature discussed in a FreeBSD
 mailing list first.  You see, rare features are completely undoubtful,
 e.g., "this simple patch adds a new sysctl variable that will make
 FreeBSD run twice as fast if set to a non-zero value" ;-)
 
 -- 
 Yar
State-Changed-From-To: open->feedback 
State-Changed-By: linimon 
State-Changed-When: Tue Jun 19 01:01:07 UTC 2007 
State-Changed-Why:  
Was this a 4.X-specific fix?  If so, this PR is now obsolete. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=55163 
Responsible-Changed-From-To: freebsd-bugs->linimon 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Jun 19 01:01:34 UTC 2007 
Responsible-Changed-Why:  
Track. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=55163 
State-Changed-From-To: feedback->closed 
State-Changed-By: linimon 
State-Changed-When: Tue Jun 19 07:17:43 UTC 2007 
State-Changed-Why:  
Submitter agrees that this was 4.X-specific, so this patch is OBE. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=55163 

From: linimon@lonesome.com (Mark Linimon)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/55163: [jail] [patch] hide kld system details from jails
Date: Tue, 19 Jun 2007 02:19:18 -0500

 ----- Forwarded message from Dmitry Morozovsky <marck@rinet.ru> -----
 
 From: Dmitry Morozovsky <marck@rinet.ru>
 Yep, this was RELENG_4 specific; I'm not sure whether such feature would 
 be useful for contemporary systems. However, there sould be totally different 
 version of the patch, hence feel free to close the PR.
 
 
 Sincerely,
 D.Marck                                     [DM5020, MCK-RIPE, DM3-RIPN]
 ------------------------------------------------------------------------
 *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru ***
 ------------------------------------------------------------------------
 
 ----- End forwarded message -----
>Unformatted:
