[Bug 246412] Return EISDIR when reading a directory
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu Jun 4 18:17:46 UTC 2020
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246412
--- Comment #4 from commit-hook at freebsd.org ---
A commit references this bug:
Author: kevans
Date: Thu Jun 4 18:17:27 UTC 2020
New revision: 361799
URL: https://svnweb.freebsd.org/changeset/base/361799
Log:
vfs: add restrictions to read(2) of a directory [2/2]
This commit adds the priv(9) that waters down the sysctl to make it only
allow read(2) of a dirfd by the system root. Jailed root is not allowed, but
jail policy and superuser policy will abstain from allowing/denying it so
that a MAC module can fully control the policy.
Such a MAC module has been written, and can be found at:
https://people.freebsd.org/~kevans/mac_read_dir-0.1.0.tar.gz
It is expected that the MAC module won't be needed by many, as most only
need to do such diagnostics that require this behavior as system root
anyways. Interested parties are welcome to grab the MAC module above and
create a port or locally integrate it, and with enough support it could see
introduction to base. As noted in mac_read_dir.c, it is released under the
BSD 2 clause license and allows the restrictions to be lifted for only
jailed root or for all unprivileged users.
PR: 246412
Reviewed by: mckusick, kib, emaste, jilles, cy, phk, imp (all previous)
Reviewed by: rgrimes (latest version)
Differential Revision: https://reviews.freebsd.org/D24596
Changes:
head/lib/libc/sys/read.2
head/sys/kern/kern_jail.c
head/sys/kern/kern_priv.c
head/sys/kern/vfs_vnops.c
head/sys/sys/priv.h
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the freebsd-standards
mailing list