Page MenuHomeFreeBSD
Differential D54992

kern: better hierarchical jail semantics for ALLOW_UNPRIV_PARENT_TAMPER
AcceptedPublic
Actions

Authored by kevans on Jan 31 2026, 3:03 AM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, May 14, 8:27 AM
Unknown Object (File)
Wed, May 13, 11:32 PM
Unknown Object (File)
Mon, May 11, 3:56 AM
Unknown Object (File)
Mon, May 11, 3:55 AM
Unknown Object (File)
Thu, May 7, 2:05 PM
Unknown Object (File)
Sun, May 3, 1:28 AM
Unknown Object (File)
Wed, Apr 29, 8:04 AM
Unknown Object (File)
Tue, Apr 28, 9:08 AM
View All 23 Files
Subscribers
imp
olce
zlei

Details

Reviewers
olce
jamie
Group Reviewers
Jails
Summary

The operating theory here is that one might want a jail structure like:

prison0

  • foo: allow.nounprivileged_parent_tampering
    • bar: allow.unprivileged_parent_tampering

From a high-level view, the above settings effectively say that the
foo uid space is independent of prison0, but bar is expected to be the
same as foo. With the current implementation, prison0 unprivileged
users would be allowed to operate on foo.bar, but not on foo. This is
clearly not the intended behavior.

Add a prison_chain_allow() that evaluates the target jail and all
intermediates to confirm that the given allow bit is set in the entire
path, and use it for PR_ALLOW_UNPRIV_PARENT_TAMPER. This creates the
appropriate barrier for prison0 -> foo.bar in all cases.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 70264
Build 67147: arc lint + arc unit

Event Timeline

kevans created this revision.Jan 31 2026, 3:03 AM
Herald added subscribers: olce, imp. · View Herald TranscriptJan 31 2026, 3:03 AM
kevans requested review of this revision.Jan 31 2026, 3:03 AM
Harbormaster completed remote builds in B70264: Diff 170823.Jan 31 2026, 3:03 AM
kevans added a comment.Thu, Apr 23, 6:49 PM

Ping?

zlei added a subscriber: zlei.Fri, Apr 24, 6:36 AM

Not familiar with the ucred part, but the concept looks good to me. I'm adding @olce ( I think he is familiar with ucred) for this.

zlei added a reviewer: olce.Fri, Apr 24, 6:37 AM
bz added a reviewer: jamie.Fri, Apr 24, 11:53 AM
jamie accepted this revision.Mon, May 4, 9:51 PM

PR_ALLOW_UNPRIV_PARENT_TAMPER is enough of a corner case (in restricting a parent jail) that I don't foresee anyone else calling prison_chain_allow. But perhaps that's just my own lack of imagination ;-)

This revision is now accepted and ready to land.Mon, May 4, 9:51 PM
kevans added a comment.Mon, May 4, 11:47 PM
In D54992#1301471, @jamie wrote:

PR_ALLOW_UNPRIV_PARENT_TAMPER is enough of a corner case (in restricting a parent jail) that I don't foresee anyone else calling prison_chain_allow. But perhaps that's just my own lack of imagination ;-)

That's a very good point- I might change it to prison_allow_tampering and drop the unsigned argument pre-commit. We've gone this long without having any other weird ones like this, it may be that we don't want to encourage other extensions like it without further design review (and then, this is easy to abstract out) -- the tampering case makes some amount of sense, at least, because it's specifically root forbidding its own users from crossing the boundary.

Revision Contents
Changeset List

PathSize
sys/
kern/
24 lines
9 lines
sys/
1 line

Diff 170823

View Options

sys/kern/kern_jail.c

Loading...
View Options

sys/kern/kern_prot.c

Loading...
View Options

sys/sys/jail.h

Loading...