Page MenuHomeFreeBSD
Files F105510031

D45545.id139680.diff
No OneTemporary
Actions

D45545.id139680.diff
View Options

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -223,6 +223,7 @@
{"allow.nfsd", "allow.nonfsd", PR_ALLOW_NFSD},
#endif
{"allow.extattr", "allow.noextattr", PR_ALLOW_EXTATTR},
+ {"allow.adjtime", "allow.noadjtime", PR_ALLOW_ADJTIME},
};
static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC;
const size_t pr_flag_allow_size = sizeof(pr_flag_allow);
@@ -4167,6 +4168,17 @@
return (0);
return (EPERM);
+ /*
+ * Conditionally allow privileged process in the jail adjust
+ * machine time.
+ */
+ case PRIV_ADJTIME:
+ case PRIV_NTP_ADJTIME:
+ if (cred->cr_prison->pr_allow & PR_ALLOW_ADJTIME)
+ return (0);
+ else
+ return (EPERM);
+
default:
/*
* In all remaining cases, deny the privilege request. This
@@ -4631,6 +4643,8 @@
#endif
SYSCTL_JAIL_PARAM(_allow, extattr, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may set system-level filesystem extended attributes");
+SYSCTL_JAIL_PARAM(_allow, adjtime, CTLTYPE_INT | CTLFLAG_RW,
+ "B", "Jail may adjust system time");
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
diff --git a/sys/sys/jail.h b/sys/sys/jail.h
--- a/sys/sys/jail.h
+++ b/sys/sys/jail.h
@@ -254,7 +254,8 @@
#define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */
#define PR_ALLOW_NFSD 0x00020000
#define PR_ALLOW_EXTATTR 0x00040000
-#define PR_ALLOW_ALL_STATIC 0x000787ff
+#define PR_ALLOW_ADJTIME 0x00080000
+#define PR_ALLOW_ALL_STATIC 0x000f87ff
/*
* PR_ALLOW_DIFFERENCES determines which flags are able to be
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd March 16, 2024
+.Dd June 10, 2024
.Dt JAIL 8
.Os
.Sh NAME
@@ -656,6 +656,8 @@
.It Va allow.extattr
Allow privileged process in the jail to manipulate filesystem extended
attributes in the system namespace.
+.It Va allow.adjtime
+Allow privileged process in the jail to manipulate time of operating system.
.El
.El
.Pp
@@ -1415,6 +1417,8 @@
.Xr pkill 1 ,
.Xr ps 1 ,
.Xr quota 1 ,
+.Xr adjtime 2 ,
+.Xr ntp_adjtime 2 ,
.Xr jail_set 2 ,
.Xr devfs 4 ,
.Xr fdescfs 4 ,
@@ -1436,6 +1440,7 @@
.Xr mount 8 ,
.Xr mountd 8 ,
.Xr nfsd 8 ,
+.Xr ntpd 8 ,
.Xr reboot 8 ,
.Xr rpcbind 8 ,
.Xr sendmail 8 ,

File Metadata

Mime Type
text/plain
Expires
Wed, Dec 18, 2:17 AM (15 h, 30 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
15475912
Default Alt Text
D45545.id139680.diff (2 KB)

Event Timeline