From e8ade4e3466bbcccc9835833affde7574e664d5d Mon Sep 17 00:00:00 2001
From: jamie <jamie@FreeBSD.org>
Date: Sat, 20 Oct 2018 16:20:36 +0000
Subject: [PATCH] MFC r339409, r339420:

  Add a new jail permission, allow.read_msgbuf.  When true, jailed processes
  can see the dmesg buffer (this is the current behavior).  When false (the
  new default), dmesg will be unavailable to jailed users, whether root or
  not.

  The security.bsd.unprivileged_read_msgbuf sysctl still works as before,
  controlling system-wide whether non-root users can see the buffer.

PR:		211580
Submitted by:	bz
---
 sys/kern/kern_jail.c | 13 +++++++++++++
 sys/kern/kern_priv.c | 16 ++++++++++++++++
 sys/kern/subr_prf.c  | 13 +++----------
 sys/sys/jail.h       |  3 ++-
 usr.sbin/jail/jail.8 |  7 ++++++-
 5 files changed, 40 insertions(+), 12 deletions(-)

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 3128e795c6f..0f94fd7c399 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -200,6 +200,7 @@ static char *pr_allow_names[] = {
 	"allow.mount.fdescfs",
 	"allow.mount.linprocfs",
 	"allow.mount.linsysfs",
+	"allow.read_msgbuf",
 };
 const size_t pr_allow_names_size = sizeof(pr_allow_names);
 
@@ -219,6 +220,7 @@ static char *pr_allow_nonames[] = {
 	"allow.mount.nofdescfs",
 	"allow.mount.nolinprocfs",
 	"allow.mount.nolinsysfs",
+	"allow.noread_msgbuf",
 };
 const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
 
@@ -3348,6 +3350,15 @@ prison_priv_check(struct ucred *cred, int priv)
 	case PRIV_PROC_SETLOGINCLASS:
 		return (0);
 
+		/*
+		 * Do not allow a process inside a jail to read the kernel
+		 * message buffer unless explicitly permitted.
+		 */
+	case PRIV_MSGBUF:
+		if (cred->cr_prison->pr_allow & PR_ALLOW_READ_MSGBUF)
+			return (0);
+		return (EPERM);
+
 	default:
 		/*
 		 * In all remaining cases, deny the privilege request.  This
@@ -3796,6 +3807,8 @@ SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLAG_RW,
     "B", "Jail may set file quotas");
 SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW,
     "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route");
+SYSCTL_JAIL_PARAM(_allow, read_msgbuf, CTLTYPE_INT | CTLFLAG_RW,
+    "B", "Jail may read the kernel message buffer");
 
 SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
 SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
diff --git a/sys/kern/kern_priv.c b/sys/kern/kern_priv.c
index 4b9a4443de3..ef48ca98929 100644
--- a/sys/kern/kern_priv.c
+++ b/sys/kern/kern_priv.c
@@ -60,6 +60,11 @@ static int	unprivileged_mlock = 1;
 SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_mlock, CTLFLAG_RWTUN,
     &unprivileged_mlock, 0, "Allow non-root users to call mlock(2)");
 
+static int	unprivileged_read_msgbuf = 1;
+SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_read_msgbuf,
+    CTLFLAG_RW, &unprivileged_read_msgbuf, 0,
+    "Unprivileged processes may read the kernel message buffer");
+
 SDT_PROVIDER_DEFINE(priv);
 SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv__ok, "int");
 SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv__err, "int");
@@ -107,6 +112,17 @@ priv_check_cred(struct ucred *cred, int priv, int flags)
 		}
 	}
 
+	if (unprivileged_read_msgbuf) {
+		/*
+		 * Allow an unprivileged user to read the kernel message
+		 * buffer.
+		 */
+		if (priv == PRIV_MSGBUF) {
+			error = 0;
+			goto out;
+		}
+	}
+
 	/*
 	 * Having determined if privilege is restricted by various policies,
 	 * now determine if privilege is granted.  At this point, any policy
diff --git a/sys/kern/subr_prf.c b/sys/kern/subr_prf.c
index 83fc1d34dd5..f919629698b 100644
--- a/sys/kern/subr_prf.c
+++ b/sys/kern/subr_prf.c
@@ -1042,11 +1042,6 @@ msgbufinit(void *ptr, int size)
 	oldp = msgbufp;
 }
 
-static int unprivileged_read_msgbuf = 1;
-SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_read_msgbuf,
-    CTLFLAG_RW, &unprivileged_read_msgbuf, 0,
-    "Unprivileged processes may read the kernel message buffer");
-
 /* Sysctls for accessing/clearing the msgbuf */
 static int
 sysctl_kern_msgbuf(SYSCTL_HANDLER_ARGS)
@@ -1055,11 +1050,9 @@ sysctl_kern_msgbuf(SYSCTL_HANDLER_ARGS)
 	u_int seq;
 	int error, len;
 
-	if (!unprivileged_read_msgbuf) {
-		error = priv_check(req->td, PRIV_MSGBUF);
-		if (error)
-			return (error);
-	}
+	error = priv_check(req->td, PRIV_MSGBUF);
+	if (error)
+		return (error);
 
 	/* Read the whole buffer, one chunk at a time. */
 	mtx_lock(&msgbuf_lock);
diff --git a/sys/sys/jail.h b/sys/sys/jail.h
index c736bb2dc74..0f30a75f740 100644
--- a/sys/sys/jail.h
+++ b/sys/sys/jail.h
@@ -230,7 +230,8 @@ struct prison_racct {
 #define	PR_ALLOW_MOUNT_FDESCFS		0x1000
 #define	PR_ALLOW_MOUNT_LINPROCFS	0x2000
 #define	PR_ALLOW_MOUNT_LINSYSFS		0x4000
-#define	PR_ALLOW_ALL			0x7fff
+#define	PR_ALLOW_READ_MSGBUF		0x8000
+#define	PR_ALLOW_ALL			0xffff
 
 /*
  * OSD methods
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index 70f6d10e941..b4d7bac9c6a 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -25,7 +25,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd April 30, 2016
+.Dd October 20, 2018
 .Dt JAIL 8
 .Os
 .Sh NAME
@@ -607,6 +607,11 @@ within a jail.
 The jail root may administer quotas on the jail's filesystem(s).
 This includes filesystems that the jail may share with other jails or
 with non-jailed parts of the system.
+.It Va allow.read_msgbuf
+Jailed users may read the kernel message buffer.
+If the
+.Va security.bsd.unprivileged_read_msgbuf
+MIB entry is zero, this will be restricted to the root user.
 .It Va allow.socket_af
 Sockets within a jail are normally restricted to IPv4, IPv6, local
 (UNIX), and route.  This allows access to other protocol stacks that
-- 
2.45.0