[Bug 211580] deny system message buffer access from jails

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[Bug 211580] deny system message buffer access from jails


--- Comment #13 from Joe Barbish <[hidden email]> ---
To keep consistent with how things are done in jail(8) this
"security.bsd.unprivileged_read_msgbuf" MIB should be implemented in the same
manner as that used for "allow.raw_sockets". The default being not allowed.
This would enable the ability to change the default for all jails or to
customize per jail from the jail.conf file. Documented in "man 8 jail".

And while doing this some though should be given to the "security.jail.jailed"
MIB. Currently the "sysctl" console command is allowed to be executed from
within a non-vnet jail. This leaves the door wide open to a compromised jail
being able to obtain information about the host and if he's in a jail. This
type of ability is what jail(8) is supposed to stop by design. This hole needs
to be plugged. I suggest that the "allow.raw_sockets" method be used to enable
the 'sysctl" command to execute from within a jail. The default being not

The dmesg and sysctl commands provide the same basic info more or less, and
since the posters to this PR feel that dmesg is a security leak than for sure
sysctl is also.

Even if this change misses the 12.0 deadline, it is a security update and can
be added during the life of 12.0.

You are receiving this mail because:
You are the assignee for the bug.
[hidden email] mailing list
To unsubscribe, send any mail to "[hidden email]"