From nobody Mon Feb 26 00:59:55 2024 X-Original-To: geom@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Tjj2N2Fd1z5BkQD for ; Mon, 26 Feb 2024 00:59:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Tjj2N170zz4tqJ for ; Mon, 26 Feb 2024 00:59:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1708909196; a=rsa-sha256; cv=none; b=ITVtn1Gs8kd8Qql1sKpmDjjnoFXRjz8ML7+f08fuxNZs3MpRtlyn40rK4FtyPd3/hWv9Mr 0b+/Oyrc8mdNJYRZNhJIk8k3XW8u8DBeZ0VuZaguNUANURyTgLjMhao47QUELUuV6TLO6E T3DltxvWC96xEZHUUXQNS2/EbfMD6iUXDap270+RGNRaRv0f0bOCcbBc+uZUzv0Qe7lyA3 EN3lqH4NsBJFUaRg4X5d+Oy1AOkxoGePrrY2prYLIIX8+VVK8AIKhoosj3clAWy0P9bFSj d5e+GBxWs1CRUcexMp5W7jwTKUOHSpgBePSYN78o21v3H0mDe/OoSbKswvGWJg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1708909196; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XIgCpP2Pfl0QnqxTCA7R0tKTOoYP/ZCd1y3obI79e8I=; b=Rj3Ds0gYVChtFzQAqa3sOcUdZgQbM3Ja3BtCkKN87nGDEF3AQUR8PcCHFRXZo/RhAvAoPo OqfES22jGOT/r9LByHnoLuvmrnsqJJn9+GsxqfNYwRR9+qrOlHs/EYUrcLFfn9Avz9S5fI +YyOpWIvYJo/yWk0cc5+HtUtZ5wN3ViBf3kJAhs4sda8b0eUC21fBjSW7kpdmOqfb0eW0C 8fd+gioX9rIIDc/96SKYTjZDa9LpRVeJbSX1p49ZYRsrIJnCvNoXl5+sVneDM8tN0DkWeA 0bbxpw2cnPQ0aw/aLLJqp4eTFDQk4BvSRtEZ3K81QiyKVceF/40U3eLVRDxNww== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Tjj2N0BPKz16Kn for ; Mon, 26 Feb 2024 00:59:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 41Q0xt8A095503 for ; Mon, 26 Feb 2024 00:59:55 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 41Q0xtES095502 for geom@FreeBSD.org; Mon, 26 Feb 2024 00:59:55 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: geom@FreeBSD.org Subject: [Bug 277228] Device permissions security hole with partitioning (/dev/geom.ctl) Date: Mon, 26 Feb 2024 00:59:55 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: misc X-Bugzilla-Version: Unspecified X-Bugzilla-Keywords: security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: imp@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: geom@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: GEOM-specific discussions and implementations List-Archive: https://lists.freebsd.org/archives/freebsd-geom List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-geom@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D277228 --- Comment #4 from Warner Losh --- (In reply to Kyle Evans from comment #3) There's no API for cdevs to get their owners, nor is there any process associated with the request by the time we get into the geom nodes that are fielding the verbs. So it's quite difficult to apply security checks that deeply down in the stack since there's no process context associated with t= he request. One could do ad-hoc things at that level, but no other drivers do = that sort of thing. Once you are past the 'open' check, there's very little else. One could add checks at the ioctl, but you don't know what node(s) the comm= and affects there (without putting all the knowledge of the lower layers into t= he ioctl). What's unclear to me, though I think it would work, would just be to remove= any permission for operator for /dev/geom.ctl (that is make it 0600 permission)= . I don't think there's anything that operator needs to do its mandate (such as= it still is) that it can't get from other sources. Operator already can read all the data in your system, though, so there's already a fair amount of trust in operator. --=20 You are receiving this mail because: You are the assignee for the bug.=