From stas@dracon.310.ru  Sun Aug  7 05:23:20 2005
Return-Path: <stas@dracon.310.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 06D2616A41F
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  7 Aug 2005 05:23:20 +0000 (GMT)
	(envelope-from stas@dracon.310.ru)
Received: from dracon.310.ru (dracon.310.ru [83.97.105.66])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 55A72443CE
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  7 Aug 2005 05:23:19 +0000 (GMT)
	(envelope-from stas@dracon.310.ru)
Received: from dracon.310.ru (localhost.310.ru [127.0.0.1])
	by dracon.310.ru (8.13.3/8.13.1) with ESMTP id j775NI7x050143
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 7 Aug 2005 09:23:18 +0400 (MSD)
	(envelope-from stas@dracon.310.ru)
Received: (from stas@localhost)
	by dracon.310.ru (8.13.3/8.13.1/Submit) id j775ND4W050142;
	Sun, 7 Aug 2005 09:23:13 +0400 (MSD)
	(envelope-from stas)
Message-Id: <200508070523.j775ND4W050142@dracon.310.ru>
Date: Sun, 7 Aug 2005 09:23:13 +0400 (MSD)
From: Stanislav Sedov <stas@310.ru>
Reply-To: Stanislav Sedov <stas@310.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: md(4) driver breaks strict security rules
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         84635
>Category:       kern
>Synopsis:       [patch] md(4) driver breaks strict security rules
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    csjp
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Aug 07 05:30:17 GMT 2005
>Closed-Date:    Wed Oct 12 17:29:49 GMT 2005
>Last-Modified:  Wed Oct 12 17:29:49 GMT 2005
>Originator:     Stanislav Sedov
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
310.ru [Tridesyatoe]
>Environment:
System: FreeBSD stalingrad.realnet 7.0-CURRENT FreeBSD 7.0-CURRENT #96: Thu Jul 28 21:05:39 UTC 2005 root@stalingrad.realnet:/work/src/fbsd-cur/src/sys/i386/compile/DESKTOP i386


	
>Description:
	md(4) drivers doesn't check write permissions off files on which it's
backed on. So somebody with root perms can write to files when schg flag is set.
Also this driver ignores MAC policies.

>How-To-Repeat:
	
>Fix:

	

--- md.c.diff begins here ---
--- sys/dev/md/md.c.orig	Wed Jul 27 11:34:28 2005
+++ sys/dev/md/md.c	Wed Jul 27 15:28:28 2005
@@ -510,6 +510,8 @@
 		error = VOP_READ(sc->vnode, &auio, IO_DIRECT, sc->cred);
 		VOP_UNLOCK(sc->vnode, 0, curthread);
 	} else {
+		if (sc->flags & MD_READONLY)
+			return ENOTSUPP;
 		(void)vn_start_write(sc->vnode, &mp, V_WAIT);
 		vn_lock(sc->vnode, LK_EXCLUSIVE | LK_RETRY, curthread);
 		error = VOP_WRITE(sc->vnode, &auio,
@@ -879,7 +881,7 @@
 	error = copyinstr(mdio->md_file, sc->file, sizeof(sc->file), NULL);
 	if (error != 0)
 		return (error);
-	flags = FREAD|FWRITE;
+	flags = sc->flags & MD_READONLY ? FREAD : (FREAD|FWRITE);
 	NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, sc->file, td);
 	error = vn_open(&nd, &flags, 0, -1);
 	if (error != 0) {
@@ -887,6 +889,7 @@
 		if (error != EACCES && error != EPERM && error != EROFS)
 			return (error);
 		flags &= ~FWRITE;
+		sc->flags |= MD_READONLY;
 		NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, sc->file, td);
 		error = vn_open(&nd, &flags, 0, -1);
 	}
--- md.c.diff ends here ---

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->csjp 
Responsible-Changed-By: csjp 
Responsible-Changed-When: Sun Aug 7 17:04:11 GMT 2005 
Responsible-Changed-Why:  
I will take ownership of this PR 

http://www.freebsd.org/cgi/query-pr.cgi?pr=84635 
State-Changed-From-To: open->patched 
State-Changed-By: csjp 
State-Changed-When: Wed Aug 17 01:42:11 GMT 2005 
State-Changed-Why:  
This was patched in src/sys/dev/md/md.c revision 1.154, see commit 
log for any details 

http://www.freebsd.org/cgi/query-pr.cgi?pr=84635 
State-Changed-From-To: patched->closed 
State-Changed-By: csjp 
State-Changed-When: Wed Oct 12 17:28:59 GMT 2005 
State-Changed-Why:  
Fixed in: 

sys/dev/md/md.c revision 1.154 
sbin/mdconfig/mdconfig.c revision 1.44 

Thanks for bringing this to our attention! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=84635 
>Unformatted:
