Re: pledge allows /dev/null to be any file type

Sun, 19 Mar 2023 15:26:38 -0700 

Your report is complete bullshit.

If /dev/null isn't the right device, then either you were holed by someone who
is trying to mess with you, or your root operator is an idiot.

p...@delphinusdns.org wrote:

> >Synopsis:    pledge allows /dev/null to be any file type
> >Category:    kernel
> >Environment:
>       System      : OpenBSD 7.2
>       Details     : OpenBSD 7.2 (GENERIC.MP) #2: Thu Nov 24 23:53:03 MST 2022
>                        
> r...@syspatch-72-arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP
> 
>       Architecture: OpenBSD.arm64
>       Machine     : arm64
> >Description:
>       I was testing pledge on a 7.2 system and as a test opened /dev/null.
> I was astonished that it didn't abort.  OK perhaps it needs to do that but
> doesn't it work better if /dev/null is major/minor (2,2) device?  I have a 
> ktrace for you to show what I mean.
> >How-To-Repeat:
> spica# mkdir dev      
> mkdir: dev: File exists
> spica# touch dev/null
> spica# ktrace -i ./testprog
> spica# ls -l dev/null
> -rw-r--r--  1 root  pjp  5 Mar 19 22:51 dev/null
> spica# cat dev/null
> test
> spica# 
> 
> The ktrace I'm gonna edit it to show only the juicy parts:
> 
>  13252 testprog CALL  chroot(0x995cc0ea640)
>  13252 testprog NAMI  "/home/pjp"
>  13252 testprog RET   chroot 0
>  13252 testprog CALL  kbind(0x7f7fffff95b8,24,0xd10fcc1b312a79c0)
>  13252 testprog RET   kbind 0
>  13252 testprog CALL  chdir(0x995cc0ea64a)
>  13252 testprog NAMI  "/"
>  13252 testprog RET   chdir 0
>  13252 testprog CALL  kbind(0x7f7fffff95b8,24,0xd10fcc1b312a79c0)
>  13252 testprog RET   kbind 0
>  13252 testprog CALL  pledge(0x995cc0ea652,0)
>  13252 testprog STRU  promise="stdio"
>  13252 testprog RET   pledge 0
>  13252 testprog CALL  kbind(0x7f7fffff95b8,24,0xd10fcc1b312a79c0)
>  13252 testprog RET   kbind 0
>  13252 testprog CALL  open(0x995cc0ea658,0x1<O_WRONLY>)
>  13252 testprog NAMI  "/dev/null"
>  13252 testprog RET   open 4
>  13252 testprog CALL  kbind(0x7f7fffff95b8,24,0xd10fcc1b312a79c0)
>  13252 testprog RET   kbind 0
>  13252 testprog CALL  write(4,0x995cc0ea64c,0x5)
>  13252 testprog GIO   fd 4 wrote 5 bytes
>        "test
> 
> So writing to a file called {CHROOT}/dev/null is allowed on stdio pledge.
> This is very suboptimal to me.  Can't it perform a check for major 2, minor 2?
> 
> spica# ls -l /dev/null
> crw-rw-rw-  1 root  wheel    2,   2 Mar 19 10:14 /dev/null
> 
> >Fix:
> From github I got this for the HEAD of CVS from:
> 
> https://github.com/openbsd/src/blob/master/sys/kern/kern_pledge.c
> 
> 
> ----->
>       case SYS_open:
>               /* daemon(3) or other such functions */
>               if ((ni->ni_pledge & ~(PLEDGE_RPATH | PLEDGE_WPATH)) == 0 &&
>                   strcmp(path, "/dev/null") == 0) {
>                       ni->ni_cnd.cn_flags |= BYPASSUNVEIL;
>                       return (0);
>               }
> <------
> 
> I figure that's the code for this, partially.  But someone else would surely
> know better.  And has surely a better fix on hand?
> 
> 
> dmesg:
> see previous reports.
>

Reply via email to