[Bug 211580] deny system message buffer access from jails
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sat Oct 13 19:13:51 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211580
--- Comment #13 from Joe Barbish <qjail1 at a1poweruser.com> ---
To keep consistent with how things are done in jail(8) this
"security.bsd.unprivileged_read_msgbuf" MIB should be implemented in the same
manner as that used for "allow.raw_sockets". The default being not allowed.
This would enable the ability to change the default for all jails or to
customize per jail from the jail.conf file. Documented in "man 8 jail".
And while doing this some though should be given to the "security.jail.jailed"
MIB. Currently the "sysctl" console command is allowed to be executed from
within a non-vnet jail. This leaves the door wide open to a compromised jail
being able to obtain information about the host and if he's in a jail. This
type of ability is what jail(8) is supposed to stop by design. This hole needs
to be plugged. I suggest that the "allow.raw_sockets" method be used to enable
the 'sysctl" command to execute from within a jail. The default being not
allowed.
The dmesg and sysctl commands provide the same basic info more or less, and
since the posters to this PR feel that dmesg is a security leak than for sure
sysctl is also.
Even if this change misses the 12.0 deadline, it is a security update and can
be added during the life of 12.0.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-jail
mailing list