Page MenuHomeFreeBSD
Files F141217458

D51719.id159709.diff
No OneTemporary
Actions

D51719.id159709.diff
View Options

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -232,6 +232,9 @@
{"allow.adjtime", "allow.noadjtime", PR_ALLOW_ADJTIME},
{"allow.settime", "allow.nosettime", PR_ALLOW_SETTIME},
{"allow.routing", "allow.norouting", PR_ALLOW_ROUTING},
+#ifdef AUDIT
+ {"allow.setaudit", "allow.nosetaudit", PR_ALLOW_SETAUDIT},
+#endif
};
static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC;
const size_t pr_flag_allow_size = sizeof(pr_flag_allow);
@@ -3964,7 +3967,6 @@
*/
case PRIV_KTRACE:
-#if 0
/*
* Allow jailed processes to configure audit identity and
* submit audit records (login, etc). In the future we may
@@ -3973,6 +3975,11 @@
*/
case PRIV_AUDIT_GETAUDIT:
case PRIV_AUDIT_SETAUDIT:
+ if (cred->cr_prison->pr_allow & PR_ALLOW_SETAUDIT)
+ return (0);
+ else
+ return (EPERM);
+#if 0
case PRIV_AUDIT_SUBMIT:
#endif
@@ -4702,6 +4709,10 @@
"B", "Jail may set system time");
SYSCTL_JAIL_PARAM(_allow, routing, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may modify routing table");
+#ifdef AUDIT
+SYSCTL_JAIL_PARAM(_allow, setaudit, CTLTYPE_INT | CTLFLAG_RW,
+ "B", "Jail may set and get audit session state");
+#endif
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
diff --git a/sys/security/audit/audit_syscalls.c b/sys/security/audit/audit_syscalls.c
--- a/sys/security/audit/audit_syscalls.c
+++ b/sys/security/audit/audit_syscalls.c
@@ -592,8 +592,6 @@
{
int error;
- if (jailed(td->td_ucred))
- return (ENOSYS);
error = priv_check(td, PRIV_AUDIT_GETAUDIT);
if (error)
return (error);
@@ -609,8 +607,6 @@
au_id_t id;
int error;
- if (jailed(td->td_ucred))
- return (ENOSYS);
error = copyin(uap->auid, &id, sizeof(id));
if (error)
return (error);
@@ -650,8 +646,6 @@
int error;
cred = td->td_ucred;
- if (jailed(cred))
- return (ENOSYS);
error = priv_check(td, PRIV_AUDIT_GETAUDIT);
if (error)
return (error);
@@ -674,8 +668,6 @@
struct auditinfo ai;
int error;
- if (jailed(td->td_ucred))
- return (ENOSYS);
error = copyin(uap->auditinfo, &ai, sizeof(ai));
if (error)
return (error);
@@ -715,8 +707,6 @@
{
int error;
- if (jailed(td->td_ucred))
- return (ENOSYS);
if (uap->length < sizeof(*uap->auditinfo_addr))
return (EOVERFLOW);
error = priv_check(td, PRIV_AUDIT_GETAUDIT);
@@ -734,8 +724,6 @@
struct auditinfo_addr aia;
int error;
- if (jailed(td->td_ucred))
- return (ENOSYS);
error = copyin(uap->auditinfo_addr, &aia, sizeof(aia));
if (error)
return (error);
diff --git a/sys/sys/jail.h b/sys/sys/jail.h
--- a/sys/sys/jail.h
+++ b/sys/sys/jail.h
@@ -260,7 +260,8 @@
#define PR_ALLOW_ADJTIME 0x00080000
#define PR_ALLOW_SETTIME 0x00100000
#define PR_ALLOW_ROUTING 0x00200000
-#define PR_ALLOW_ALL_STATIC 0x003f87ff
+#define PR_ALLOW_SETAUDIT 0x00400000
+#define PR_ALLOW_ALL_STATIC 0x007f87ff
/*
* PR_ALLOW_DIFFERENCES determines which flags are able to be
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd May 11, 2025
+.Dd August 4, 2025
.Dt JAIL 8
.Os
.Sh NAME
@@ -696,15 +696,15 @@
disabled.
The super-user is enabled by default.
.It Va allow.extattr
-Allow privileged process in the jail to manipulate filesystem extended
+Allow privileged processes in the jail to manipulate filesystem extended
attributes in the system namespace.
.It Va allow.adjtime
-Allow privileged process in the jail to slowly adjusting global operating system
+Allow privileged processes in the jail to slowly adjusting global operating system
time.
For example through utilities like
.Xr ntpd 8 .
.It Va allow.settime
-Allow privileged process in the jail to set global operating system data
+Allow privileged processes in the jail to set global operating system data
and time.
For example through utilities like
.Xr date 1 .
@@ -713,6 +713,17 @@
.It Va allow.routing
Allow privileged process in the non-VNET jail to modify the system routing
table.
+.It Va allow.setaudit
+Allow privileged processes in the jail to set
+.Xr audit 4
+session state using
+.Xr setaudit 2
+and related system calls.
+This is useful, for example, for allowing a jailed
+.Xr sshd 8
+to set the audit user ID for an authenticated session.
+However, it gives jailed processes the ability to modify or disable audit
+session state, so should be configured with care.
.El
.El
.Pp
diff --git a/usr.sbin/jail/tests/jail_basic_test.sh b/usr.sbin/jail/tests/jail_basic_test.sh
--- a/usr.sbin/jail/tests/jail_basic_test.sh
+++ b/usr.sbin/jail/tests/jail_basic_test.sh
@@ -293,6 +293,25 @@
fi
}
+atf_test_case "setaudit"
+setaudit_head()
+{
+ atf_set descr 'Test that setaudit works in a jail when configured with allow.setaudit'
+ atf_set require.user root
+ atf_set require.progs setaudit
+}
+
+setaudit_body()
+{
+ # Try to modify the audit mask within a jail without
+ # allow.setaudit configured.
+ atf_check -s not-exit:0 -o empty -e not-empty jail -c name=setaudit_jail \
+ command=setaudit -m fr ls /
+ # The command should succeed if allow.setaudit is configured.
+ atf_check -s exit:0 -o ignore -e empty jail -c name=setaudit_jail \
+ allow.setaudit command=setaudit -m fr ls /
+}
+
atf_init_test_cases()
{
atf_add_test_case "basic"
@@ -301,4 +320,5 @@
atf_add_test_case "commands"
atf_add_test_case "jid_name_set"
atf_add_test_case "param_consistency"
+ atf_add_test_case "setaudit"
}

File Metadata

Mime Type
text/plain
Expires
Sat, Jan 3, 1:12 PM (13 h, 36 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
27471999
Default Alt Text
D51719.id159709.diff (5 KB)

Event Timeline