Re: Weird behavior with /dev/mem

From: Robert Watson <rwatson_at_freebsd.org>
Date: Fri, 31 Oct 2003 14:49:37 -0500 (EST)
On Fri, 31 Oct 2003, Daniel C. Sobral wrote:

> Doug White wrote:
> > On Fri, 31 Oct 2003, Daniel C. Sobral wrote:
> > 
> > 
> >>Weird thing. I updated my system today (October 31), and now I can't
> >>list routes from syscons. But I still can list routes from Konsole, on
> >>X. Following a suggestion by Genesys, I checked permissions of /dev/mem
> >>and netstat and... for some reason, I can't stat /dev/mem under syscons!
> > 
> > 
> > You didn't mount that filesystem nosuid, did you?
> 
> No. And, as a matter of fact, the error is user-agnostic. In fact, in
> the example below the problem happen with the root user, while user dcs
> is home free. 
> 
> MMmmmm... I know what it is. It's something with mac, because X is run
> with /usr/sbin/setpmac mls/equal. (tests) Yep, that's it. 
> 
> Ok, rwatson, it's all your fault. Sneaky, sneaky. 

Hey, imagine that, a security check preventing something insecure :-).
With MLS enabled, /dev/kmem and /dev/mem are labeled as mls/high since
they potentially hold state associated with processes and objects with
high labels.  As a result, users without the necessary clearance to via
mls/high data can't use tools that grub around in kernel memory.  Tools
that use sysctl, on the other hand, are generally no problem.  The usual
fixes are:

(1) Teach netstat not to use kmem, instead use a more controlled export
    method.

(2) Make netstat exempt from the policy (i.e., run with setpmac mls/equal
    netstat, or we could introduce a transition mechanism for MLS).

(3) Only run netstat from contexts that are either allowed to access
    kernel memory (generally, mls/high), or are exempt (mls/equal).

Are you using kdm/xdm to log in, or using startx?  It's fairly likely
xdm/kdm aren't setting your label on login, and so you're getting the
label from the context they were run from.  Whereas when you log in using
login(1) login, your label is set properly.  getpmac should reveal whether
this is the case.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert_at_fledge.watson.org      Network Associates Laboratories

> 
> > 
> > 
> >>Here are a couple of typescripts I got:
> >>
> >>[0] dcs_at_dcs:/opt/home/dcs$ cat from_konsole
> >>Script started on Fri Oct 31 17:25:04 2003
> >>dcs_at_dcs:/opt/home/dcs$ ls -ld /dev
> >>dr-xr-xr-x  4 root  wheel  512 Oct 31 13:56 /dev
> >>dcs_at_dcs:/opt/home/dcs$ ls -l /dev/mem
> >>crw-r-----  1 root  kmem    2,   0 Oct 31 15:54 /dev/mem
> >>dcs_at_dcs:/opt/home/dcs$ ls -l /usr/bin/netstat
> >>-r-xr-sr-x  1 root  kmem  108664 Oct 31 13:18 /usr/bin/netstat
> >>dcs_at_dcs:/opt/home/dcs$ netstat -nr
> >>Routing tables
> >>
> >>Internet:
> >>Destination        Gateway            Flags    Refs      Use  Netif Expire
> >>default            10.0.11.1          UGSc        0        0   fxp0
> >>10/16              link#1             UC          0        0   fxp0
> >>10.0.2.72          00:04:23:2a:13:7b  UHLW        0        1   fxp0    881
> >>10.0.11.1          00:10:54:cd:58:40  UHLW       28        0   fxp0   1197
> >>10.0.12.131        00:01:30:26:e0:00  UHLW        0        0   fxp0   1186
> >>10.0.14.20         00:02:55:58:22:0a  UHLW        6    39928   fxp0    975
> >>127.0.0.1          127.0.0.1          UH          0        6    lo0
> >>dcs_at_dcs:/opt/home/dcs$ exit
> >>exit
> >>
> >>Script done on Fri Oct 31 17:25:20 2003
> >>[0] dcs_at_dcs:/opt/home/dcs$ cat from_syscons
> >>Script started on Fri Oct 31 17:26:01 2003
> >>root_at_dcs:/root$ ls -ld /dev
> >>dr-xr-xr-x  4 root  wheel  512 Oct 31 13:56 /dev
> >>root_at_dcs:/root$ ls -l /dev/mem
> >>ls: /dev/mem: Permission denied
> >>root_at_dcs:/root$ ls -l /usr/bin/netstat
> >>-r-xr-sr-x  1 root  kmem  108664 Oct 31 13:18 /usr/bin/netstat
> >>root_at_dcs:/root$ netstat -nr
> >>netstat: kvm not available
> >>Routing tables
> >>rt_tables: symbol not in namelist
> >>root_at_dcs:/root$ exit
> >>exit
> >>
> >>Script done on Fri Oct 31 17:26:18 2003
> >>[0] dcs_at_dcs:/opt/home/dcs$ which ls
> >>/bin/ls
> >>[0] dcs_at_dcs:/opt/home/dcs$ type ls
> >>ls is aliased to `ls -G'
> >>[0] dcs_at_dcs:/opt/home/dcs$ unalias ls
> >>[0] dcs_at_dcs:/opt/home/dcs$ ls -l /dev/mem
> >>crw-r-----  1 root  kmem    2,   0 Oct 31 15:54 /dev/mem
> >>
> >>I'm CCing phk on the grounds of Mr Devfs, and Sam as I blamed the
> >>networking code earlier... :-)
> >>
> >>
> > 
> > 
> 
> 
> -- 
> Daniel C. Sobral                   (8-DCS)
> Gerencia de Operacoes
> Divisao de Comunicacao de Dados
> Coordenacao de Seguranca
> VIVO Centro Oeste Norte
> Fones: 55-61-313-7654/Cel: 55-61-9618-0904
> E-mail: Daniel.Capo_at_tco.net.br
>          Daniel.Sobral_at_tcoip.com.br
>          dcs_at_tcoip.com.br
> 
> Outros:
> 	dcs_at_newsguy.com
> 	dcs_at_freebsd.org
> 	capo_at_notorious.bsdconspiracy.net
> 
> Ten years of rejection slips is nature's
> way of telling you to stop writing.
> 		-- R. Geis
> 
>
Received on Fri Oct 31 2003 - 10:50:56 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:27 UTC