From nobody Fri Jan 20 13:24:26 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Nz0b11MlYz2sY1C for ; Fri, 20 Jan 2023 13:24:29 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Nz0b05tf6z3pGD for ; Fri, 20 Jan 2023 13:24:28 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Authentication-Results: mx1.freebsd.org; none Received: by mail-qt1-x832.google.com with SMTP id g16so2021095qtu.2 for ; Fri, 20 Jan 2023 05:24:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=rTJ8YxqRnaB6TfeBHOGppTu6kW4rNZYAGuUoy0u7phc=; b=PCUbt2cmB5f1gyLWVWvb4sUAalC1MYzDVt4H5x79WAPNAlV5RwphESP1U1OFbzSgNe ZGxSq/ODoudVUe+AWPM844fFmoqzdXZP79E+fK9T45NBgb2ac56DH6cJlTgzbDk4DEpo y4EO2Ik+KdwKtSHEiU9PQKsOtGE/I0DuARMnlmI45R0KKnuK+No8+ngMUKeadj17KLVr SySm8FoLhSNbrGPctgTd5TRfMxJl6VdP686SKJ7LRHqIV2qnHamFLx5UCbUPpLbCjrh9 FphiJpLS9Q1WqYHGhaSEt4xDDmnrgeWFLh8Ws/z8/0fRGywvMCAUoikNy8Cpa9sc/eMU d2PQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=rTJ8YxqRnaB6TfeBHOGppTu6kW4rNZYAGuUoy0u7phc=; b=gYQKf2Wst4ldwF222yHMm5qFSNc3G/TlHMM/Of/grLdgeEy2QgNNEyOe6Oe7N7Fvez g8mvhwHJTIdXvxPP2ehH/IF1nC39J8IlGYYNqFxuafKKNKz6yr7ty4tcNvuupppJitm9 Ou7IBgnGxZ88a5NPrLkkI3mFGGKdgfffaec+p8+LMzW75YC3SNhnSk1/y1se9JQ11Puy qiVvRaSh6rpnf+MrA6plolY7nnc+zG9m9mXb2K0P7XCfwb+EBhQIgh0Gm2iurts9DSpE noy/lqAaw81wQUdU1W3FNZOVjbeUtVsxp2DVp8Qf6GtpmAinIBLJoPb6wWkGN+nF33Or UcAw== X-Gm-Message-State: AFqh2koeP9ussctJ+x+C3Xi8P+qsKlxKZLc1ilz2VQfiURjax2XciCCQ UsvPJlUr4Ac1GSYOA5sF653nKg== X-Google-Smtp-Source: AMrXdXtaCV27fwtpRS5dwEsGjfftHiN54ENubVfs02pUIxi7TWAsInNkYsME5v921yL5Q2WeEzQUdA== X-Received: by 2002:ac8:5642:0:b0:3a8:11ab:c537 with SMTP id 2-20020ac85642000000b003a811abc537mr18536633qtt.63.1674221067892; Fri, 20 Jan 2023 05:24:27 -0800 (PST) Received: from mutt-hbsd (pool-100-16-219-215.bltmmd.fios.verizon.net. [100.16.219.215]) by smtp.gmail.com with ESMTPSA id bn10-20020a05622a1dca00b0039cc0fbdb61sm6672279qtb.53.2023.01.20.05.24.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Jan 2023 05:24:26 -0800 (PST) Date: Fri, 20 Jan 2023 08:24:26 -0500 From: Shawn Webb To: Alexander Chernikov Cc: Alan Somers , "Danilo G. Baio" , dev-commits-src-all@freebsd.org Subject: Re: git: 2c24ad3377a6 - main - ifconfig: abort if loading a module fails other than for ENOENT Message-ID: <20230120132426.isyeq3bqpaeoymdb@mutt-hbsd> X-Operating-System: FreeBSD mutt-hbsd 14.0-CURRENT-HBSD FreeBSD 14.0-CURRENT-HBSD X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: <202301091857.309Iv87L068285@gitrepo.freebsd.org> <2f4e4ccf-b19a-4f8f-a9e0-72298e500d7c@app.fastmail.com> <1E9FAE83-B5C2-4E1F-8D04-CF4F477F76C7@freebsd.org> List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="yjlfnrth6j5yzmaq" Content-Disposition: inline In-Reply-To: <1E9FAE83-B5C2-4E1F-8D04-CF4F477F76C7@freebsd.org> X-Rspamd-Queue-Id: 4Nz0b05tf6z3pGD X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N --yjlfnrth6j5yzmaq Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 20, 2023 at 11:04:33AM +0000, Alexander Chernikov wrote: >=20 >=20 > > On 19 Jan 2023, at 17:11, Alan Somers wrote: > >=20 > > On Thu, Jan 19, 2023 at 7:03 AM Danilo G. Baio wrot= e: > >>=20 > >>=20 > >>=20 > >> On Mon, Jan 9, 2023, at 15:57, Alan Somers wrote: > >>> The branch main has been updated by asomers: > >>>=20 > >>> URL: > >>> https://cgit.FreeBSD.org/src/commit/?id=3D2c24ad3377a6f584e484656db83= 90e4eb7cfc119 > >>>=20 > >>> commit 2c24ad3377a6f584e484656db8390e4eb7cfc119 > >>> Author: Alan Somers > >>> AuthorDate: 2022-12-26 02:06:21 +0000 > >>> Commit: Alan Somers > >>> CommitDate: 2023-01-10 02:56:18 +0000 > >>>=20 > >>> ifconfig: abort if loading a module fails other than for ENOENT > >>>=20 > >>> If "ifconfig create" tries to load a kernel module, and the module > >>> exists but can't be loaded, fail the command with a useful error > >>> message. This is helpful, for example, when trying to create a clo= ned > >>> interface in a vnet jail. But ignore ENOENT, because sometimes ifc= onfig > >>> can't correctly guess the name of the required kernel module. > >>>=20 > >>> MFC after: 2 weeks > >>> Reviewed by: jhb > >>> Differential Revision: https://reviews.freebsd.org/D37873 > >>> --- > >>> sbin/ifconfig/ifconfig.c | 18 +++++++++++++----- > >>> 1 file changed, 13 insertions(+), 5 deletions(-) > >>>=20 > >>> diff --git a/sbin/ifconfig/ifconfig.c b/sbin/ifconfig/ifconfig.c > >>> index 462d543125c4..120207a6927e 100644 > >>> --- a/sbin/ifconfig/ifconfig.c > >>> +++ b/sbin/ifconfig/ifconfig.c > >>> @@ -1719,11 +1719,19 @@ ifmaybeload(const char *name) > >>> } > >>> } > >>>=20 > >>> - /* > >>> - * Try to load the module. But ignore failures, because ifconf= ig can't > >>> - * infer the names of all drivers (eg mlx4en(4)). > >>> - */ > >>> - (void) kldload(ifkind); > >>> + /* Try to load the module. */ > >>> + if (kldload(ifkind) < 0) { > >>> + switch (errno) { > >>> + case ENOENT: > >>> + /* > >>> + * Ignore ENOENT, because ifconfig can't infer = the > >>> + * names of all drivers (eg mlx4en(4)). > >>> + */ > >>> + break; > >>> + default: > >>> + err(1, "kldload(%s)", ifkind); > >>> + } > >>> + } > >>> } > >>>=20 > >>> static struct cmd basic_cmds[] =3D { > >>=20 > >>=20 > >> Hi. > >>=20 > >> I have a jail with vnet where the interface is renamed that stopped wo= rking after this. > >>=20 > >> from inside the jail: > >>=20 > >> root@test:/ # ifconfig > >> lo0: flags=3D8049 metric 0 mtu 16384 > >> options=3D680003 > >> inet6 ::1 prefixlen 128 > >> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x10 > >> inet 127.0.0.1 netmask 0xff000000 > >> groups: lo > >> nd6 options=3D21 > >> vnet0b_test: flags=3D8862 metric = 0 mtu 1500 > >> options=3D8 > >> ether 02:27:72:a7:28:0b > >> groups: epair > >> media: Ethernet 10Gbase-T (10Gbase-T ) > >> status: active > >> nd6 options=3D29 > >>=20 > >> root@test:/ # ifconfig vnet0b_test > >> ifconfig: kldload(if_vnet): Operation not permitted > >>=20 > >>=20 > >> If I don't rename the interface, that works. > >>=20 > >> jail.conf: > >>=20 > >> test { > >> vnet; > >> $index =3D "0"; > >> vnet.interface =3D "vnet${index}b_${name}"; > >> exec.prestart +=3D "ifconfig epair${index} create"; > >> exec.prestart +=3D "ifconfig ${bridge} addm epair${index}a"; > >> exec.prestart +=3D "ifconfig epair${index}a up name vnet${index}a_${= name}"; > >> exec.prestart +=3D "ifconfig epair${index}b up name vnet${index}b_${= name}"; > >> exec.poststop +=3D "ifconfig ${bridge} deletem vnet${index}a_${name}= "; > >> exec.poststop +=3D "ifconfig vnet${index}a_${name} destroy"; > >> devfs_ruleset =3D "11"; # add path 'bpf*' unhide (devfs.rules) > >> } > >>=20 > >> That's a bit odd, I know, could be using description instead. > >>=20 > >> Just reporting. > >>=20 > >> Regards. > >> -- > >> Danilo G. Baio > >=20 > > Ugh, it looks like kldload(2) is doing the privilege check before the > > file existence check. I'm not sure of the best solution: > > * Change kern_kldload to check for file existence first. This would > > ring some alarm bells among security folks, and it isn't totally easy > > to do, either. > > * Change ifconfig(8) to do an existence check of its own. This would b= e ugly. > > * Change ifconfig(8) so that it doesn't attempt to load modules when > > just listing an interface. This might be incomplete, but is probably > > worth doing anyway. > I think another question is that if if should be done by ifconfig(8) at a= ll. Kernel can take care of trying to load the required modules, checking t= he privileges. > I=E2=80=99m considering adding such code for the netlink-based interface = creation. An interesting problem unique to HardenedBSD is that since the kld* syscalls are hardened such that unprivileged users cannot use them at all (so kldfind(2)/kldstat(8) are completely nonfunctional), this breaks even read-only operations with ifconfig when specifying the interface. Meaning, `ifconfig` works, but `ifconfig em0` does not, when run as an unprivileged user. I'm of the opinion that read-only operations (like `ifconfig em0`) should be read-only in every sense. Kernel state should be preserved unmodified. The change I made in HardenedBSD is rather simple: force -n to be enabled by default for all cases. Though, I don't think that's likely the right solution for FreeBSD. It seems natural that FreeBSD would want to take a more permissive route. https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/671eb92efc2c9e= ef485194e443f7fa8102b2fe97 Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --yjlfnrth6j5yzmaq Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmPKlgIACgkQ/y5nonf4 4fouWA/9GUglzAeiEWtseHOgPSehp70J66FxrfVGeJ0dW9fhQ2akm8jaVsOyzNzg ZyqgJRbul6vzmy+lkkrfssCb+Hyhcz5blzZq07eG7s+ovp7wMUlpPobDa7Bh3u00 V6vaZiZz2RRhUMM0jAUQKsp86KocAOseQ37ijkOk7eX6JZJM/eRaF15cH03KkssS 03jdO2d8EiJG94ximcD0XcwIr7XWcOzbOwbUpjLZBPAnDpd7Z+U+catf9uFtWbkD oPkXZj7bfIb0TFYhbX34Bymh+3gQPzA1FdUbWthz/+tK44yclV86UavmS57a2POh /WOM322QuWjiKUWoCLZTNFGP26g+8NmpmQk+fqnC8GgNGhdq/1j7vkpwWneQQ7Ic vlAYQ+WrAikPLtZ5PM+7f3RLpNTfLqlxuTmlGGRzHy6BbyPwu/VlQN6Y1S+uJLtL ZSFROLIMyWFXSofNyApkZUapCUQTv8EwkBQlIl8G9lLAGjvaEe4WBxROQIK0eCeR XLPAaOi4MVJkKlS0CUTVANpaAAJb02Ip+9gYp+FEtEO5bMbvJEato2elQq1G0Agh AKfdmX858TM7aXckBwGS54LurYBGBAcxhNeNdvNxBjjgIU14N4QMwBylklzUQqYz OLcAE9vJeLVdIp/tC0zSwg+bJFTHKlRZ5GIxN5TCL4bJMXziCUs= =lSUQ -----END PGP SIGNATURE----- --yjlfnrth6j5yzmaq--