diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 7181fdfba189..1b31781d61bd 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -193,6 +193,7 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = { {"allow.mlock", "allow.nomlock", PR_ALLOW_MLOCK}, {"allow.reserved_ports", "allow.noreserved_ports", PR_ALLOW_RESERVED_PORTS}, + {"allow.read_msgbuf", "allow.noread_msgbuf", PR_ALLOW_READ_MSGBUF}, }; const size_t pr_flag_allow_size = sizeof(pr_flag_allow); @@ -3350,6 +3351,15 @@ prison_priv_check(struct ucred *cred, int priv) case PRIV_PROC_SETLOGINCLASS: return (0); + /* + * Do not allow a process inside a jail read the kernel + * message buffer unless explicitly permitted. + */ + case PRIV_MSGBUF: + if (cred->cr_prison->pr_allow & PR_ALLOW_READ_MSGBUF) + return (0); + return (EPERM); + default: /* * In all remaining cases, deny the privilege request. This @@ -3770,6 +3780,8 @@ SYSCTL_JAIL_PARAM(_allow, mlock, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may lock (unlock) physical pages in memory"); SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may bind sockets to reserved ports"); +SYSCTL_JAIL_PARAM(_allow, read_msgbuf, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may read the kernel message buffer"); SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, diff --git a/sys/kern/kern_priv.c b/sys/kern/kern_priv.c index e538daada2b4..f58b2a5799ef 100644 --- a/sys/kern/kern_priv.c +++ b/sys/kern/kern_priv.c @@ -62,6 +62,11 @@ static int unprivileged_mlock = 1; SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_mlock, CTLFLAG_RWTUN, &unprivileged_mlock, 0, "Allow non-root users to call mlock(2)"); +static int unprivileged_read_msgbuf = 1; +SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_read_msgbuf, + CTLFLAG_RW, &unprivileged_read_msgbuf, 0, + "Unprivileged processes may read the kernel message buffer"); + SDT_PROVIDER_DEFINE(priv); SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv__ok, "int"); SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv__err, "int"); @@ -109,6 +114,17 @@ priv_check_cred(struct ucred *cred, int priv, int flags) } } + if (unprivileged_read_msgbuf) { + /* + * Allow an unprivileged user to read the kernel message + * buffer. + */ + if (priv == PRIV_MSGBUF) { + error = 0; + goto out; + } + } + /* * Having determined if privilege is restricted by various policies, * now determine if privilege is granted. At this point, any policy diff --git a/sys/kern/subr_prf.c b/sys/kern/subr_prf.c index efac3bdd3b36..8436cca30c66 100644 --- a/sys/kern/subr_prf.c +++ b/sys/kern/subr_prf.c @@ -1053,11 +1053,6 @@ msgbufinit(void *ptr, int size) oldp = msgbufp; } -static int unprivileged_read_msgbuf = 1; -SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_read_msgbuf, - CTLFLAG_RW, &unprivileged_read_msgbuf, 0, - "Unprivileged processes may read the kernel message buffer"); - /* Sysctls for accessing/clearing the msgbuf */ static int sysctl_kern_msgbuf(SYSCTL_HANDLER_ARGS) @@ -1066,11 +1061,9 @@ sysctl_kern_msgbuf(SYSCTL_HANDLER_ARGS) u_int seq; int error, len; - if (!unprivileged_read_msgbuf) { - error = priv_check(req->td, PRIV_MSGBUF); - if (error) - return (error); - } + error = priv_check(req->td, PRIV_MSGBUF); + if (error) + return (error); /* Read the whole buffer, one chunk at a time. */ mtx_lock(&msgbuf_lock); diff --git a/sys/sys/jail.h b/sys/sys/jail.h index ec1013cb0071..cde09b8b5ff7 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -228,9 +228,10 @@ struct prison_racct { #define PR_ALLOW_QUOTAS 0x00000020 #define PR_ALLOW_SOCKET_AF 0x00000040 #define PR_ALLOW_MLOCK 0x00000080 +#define PR_ALLOW_READ_MSGBUF 0x00000100 #define PR_ALLOW_RESERVED_PORTS 0x00008000 #define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */ -#define PR_ALLOW_ALL_STATIC 0x000180ff +#define PR_ALLOW_ALL_STATIC 0x000181ff /* * OSD methods diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index ba5be58a2413..c0e59f3c9a96 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 20, 2018 +.Dd October 17, 2018 .Dt JAIL 8 .Os .Sh NAME @@ -549,6 +549,11 @@ option. The jail root may administer quotas on the jail's filesystem(s). This includes filesystems that the jail may share with other jails or with non-jailed parts of the system. +.It Va allow.read_msgbuf +Jailed users may read the kernel message buffer. +If the +.Va security.bsd.unprivileged_read_msgbuf +MIB entry is zero, this will be restricted to to root user. .It Va allow.socket_af Sockets within a jail are normally restricted to IPv4, IPv6, local (UNIX), and route. This allows access to other protocol stacks that