vfs: add restrictions to read(2) of a directory [2/2]

This commit adds the priv(9) that waters down the sysctl to make it only allow read(2) of a dirfd by the system root. Jailed root is not allowed, but jail policy and superuser policy will abstain from allowing/denying it so that a MAC module can fully control the policy. Such a MAC module has been written, and can be found at: https://people.freebsd.org/~kevans/mac_read_dir-0.1.0.tar.gz It is expected that the MAC module won't be needed by many, as most only need to do such diagnostics that require this behavior as system root anyways. Interested parties are welcome to grab the MAC module above and create a port or locally integrate it, and with enough support it could see introduction to base. As noted in mac_read_dir.c, it is released under the BSD 2 clause license and allows the restrictions to be lifted for only jailed root or for all unprivileged users. PR: 246412 Reviewed by: mckusick, kib, emaste, jilles, cy, phk, imp (all previous) Reviewed by: rgrimes (latest version) Differential Revision: https://reviews.freebsd.org/D24596
2020-06-04 18:17:25 +00:00 · 2020-06-04 18:17:25 +00:00 · 63619b6dba
commit 63619b6dba
parent dcef4f65ae
5 changed files with 23 additions and 2 deletions
--- a/lib/libc/sys/read.2
+++ b/lib/libc/sys/read.2
@ -200,7 +200,7 @@ The file was marked for non-blocking I/O,
 and no data were ready to be read.
 .It Bq Er EISDIR
 The file descriptor is associated with a directory.
-Directories may only be read directly if the filesystem supports it and
+Directories may only be read directly by root if the filesystem supports it and
 the
 .Dv security.bsd.allow_read_dir
 sysctl MIB is set to a non-zero value.
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@ -3323,6 +3323,14 @@ prison_priv_check(struct ucred *cred, int priv)
 		else
 			return (EPERM);

+		/*
+		 * Jails should hold no disposition on the PRIV_VFS_READ_DIR
+		 * policy.  priv_check_cred will not specifically allow it, and
+		 * we may want a MAC policy to allow it.
+		 */
+	case PRIV_VFS_READ_DIR:
+		return (0);
+
 		/*
 		 * Conditionnaly allow locking (unlocking) physical pages
 		 * in memory.
--- a/sys/kern/kern_priv.c
+++ b/sys/kern/kern_priv.c
@ -194,6 +194,14 @@ priv_check_cred(struct ucred *cred, int priv)
 				goto out;
 			}
 			break;
+		case PRIV_VFS_READ_DIR:
+			/*
+			 * Allow PRIV_VFS_READ_DIR for root if we're not in a
+			 * jail, otherwise deny unless a MAC policy grants it.
+			 */
+			if (jailed(cred))
+				break;
+			/* FALLTHROUGH */
 		default:
 			if (cred->cr_uid == 0) {
 				error = 0;
--- a/sys/kern/vfs_vnops.c
+++ b/sys/kern/vfs_vnops.c
@ -1226,13 +1226,17 @@ vn_io_fault(struct file *fp, struct uio *uio, struct ucred *active_cred,
 	 * The ability to read(2) on a directory has historically been
 	 * allowed for all users, but this can and has been the source of
 	 * at least one security issue in the past.  As such, it is now hidden
-	 * away behind a sysctl for those that actually need it to use it.
+	 * away behind a sysctl for those that actually need it to use it, and
+	 * restricted to root when it's turned on to make it relatively safe to
+	 * leave on for longer sessions of need.
 	 */
 	if (vp->v_type == VDIR) {
 		KASSERT(uio->uio_rw == UIO_READ,
 		    ("illegal write attempted on a directory"));
 		if (!vfs_allow_read_dir)
 			return (EISDIR);
+		if ((error = priv_check(td, PRIV_VFS_READ_DIR)) != 0)
+			return (EISDIR);
 	}

 	foffset_lock_uio(fp, uio, flags);
--- a/sys/sys/priv.h
+++ b/sys/sys/priv.h
@ -283,6 +283,7 @@
 #define	PRIV_VFS_SYSFLAGS	342	/* Can modify system flags. */
 #define	PRIV_VFS_UNMOUNT	343	/* Can unmount(). */
 #define	PRIV_VFS_STAT		344	/* Override vnode MAC stat perm. */
+#define	PRIV_VFS_READ_DIR	345	/* Can read(2) a dirfd, needs sysctl. */

 /*
 * Virtual memory privileges.