Page MenuHomeFreeBSD
Files F144156580

D27128.id79728.diff
No OneTemporary
Actions

D27128.id79728.diff
View Options

Index: head/sys/kern/kern_jail.c
===================================================================
--- head/sys/kern/kern_jail.c
+++ head/sys/kern/kern_jail.c
@@ -199,12 +199,14 @@
{"allow.read_msgbuf", "allow.noread_msgbuf", PR_ALLOW_READ_MSGBUF},
{"allow.unprivileged_proc_debug", "allow.nounprivileged_proc_debug",
PR_ALLOW_UNPRIV_DEBUG},
+ {"allow.suser", "allow.nosuser", PR_ALLOW_SUSER},
};
const size_t pr_flag_allow_size = sizeof(pr_flag_allow);
#define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | \
PR_ALLOW_RESERVED_PORTS | \
- PR_ALLOW_UNPRIV_DEBUG)
+ PR_ALLOW_UNPRIV_DEBUG | \
+ PR_ALLOW_SUSER)
#define JAIL_DEFAULT_ENFORCE_STATFS 2
#define JAIL_DEFAULT_DEVFS_RSNUM 0
static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW;
@@ -3815,6 +3817,8 @@
"B", "Jail may read the kernel message buffer");
SYSCTL_JAIL_PARAM(_allow, unprivileged_proc_debug, CTLTYPE_INT | CTLFLAG_RW,
"B", "Unprivileged processes may use process debugging facilities");
+SYSCTL_JAIL_PARAM(_allow, suser, CTLTYPE_INT | CTLFLAG_RW,
+ "B", "Processes in jail with uid 0 have privilege");
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
Index: head/sys/kern/kern_priv.c
===================================================================
--- head/sys/kern/kern_priv.c
+++ head/sys/kern/kern_priv.c
@@ -3,6 +3,7 @@
*
* Copyright (c) 2006 nCircle Network Security, Inc.
* Copyright (c) 2009 Robert N. M. Watson
+ * Copyright (c) 2020 Mariusz Zaborski <oshogbo@FreeBSD.org>
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
@@ -36,6 +37,9 @@
#include <sys/param.h>
#include <sys/jail.h>
#include <sys/kernel.h>
+#include <sys/lock.h>
+#include <sys/mutex.h>
+#include <sys/sx.h>
#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/sdt.h>
@@ -54,10 +58,58 @@
* userland programs, and should not be done without careful consideration of
* the consequences.
*/
-static int __read_mostly suser_enabled = 1;
-SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RWTUN,
- &suser_enabled, 0, "processes with uid 0 have privilege");
+static bool
+suser_enabled(struct ucred *cred)
+{
+
+ return (prison_allow(cred, PR_ALLOW_SUSER) ? true : false);
+}
+
+static void inline
+prison_suser_set(struct prison *pr, int enabled)
+{
+
+ if (enabled) {
+ pr->pr_allow |= PR_ALLOW_SUSER;
+ } else {
+ pr->pr_allow &= ~PR_ALLOW_SUSER;
+ }
+}
+
+static int
+sysctl_kern_suser_enabled(SYSCTL_HANDLER_ARGS)
+{
+ struct prison *pr, *cpr;
+ struct ucred *cred;
+ int descend, error, enabled;
+
+ cred = req->td->td_ucred;
+ enabled = suser_enabled(cred);
+
+ error = sysctl_handle_int(oidp, &enabled, 0, req);
+ if (error || !req->newptr)
+ return (error);
+
+ pr = cred->cr_prison;
+ sx_slock(&allprison_lock);
+ mtx_lock(&pr->pr_mtx);
+
+ prison_suser_set(pr, enabled);
+ if (!enabled) {
+ FOREACH_PRISON_DESCENDANT_LOCKED(pr, cpr, descend) {
+ prison_suser_set(cpr, 0);
+ }
+ }
+ mtx_unlock(&pr->pr_mtx);
+ sx_sunlock(&allprison_lock);
+ return (0);
+}
+
+SYSCTL_PROC(_security_bsd, OID_AUTO, suser_enabled, CTLTYPE_INT |
+ CTLFLAG_RWTUN | CTLFLAG_PRISON, 0, 0, &sysctl_kern_suser_enabled, "I",
+ "Processes with uid 0 have privilege");
+
static int unprivileged_mlock = 1;
SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_mlock, CTLFLAG_RWTUN,
&unprivileged_mlock, 0, "Allow non-root users to call mlock(2)");
@@ -186,7 +238,7 @@
* superuser policy to be globally disabled, although this is
* currenty of limited utility.
*/
- if (suser_enabled) {
+ if (suser_enabled(cred)) {
switch (priv) {
case PRIV_MAXFILES:
case PRIV_MAXPROC:
@@ -258,7 +310,7 @@
if (error)
goto out;
- if (cred->cr_uid == 0 && suser_enabled) {
+ if (cred->cr_uid == 0 && suser_enabled(cred)) {
error = 0;
goto out;
}
@@ -279,7 +331,7 @@
return (priv_check_cred_vfs_lookup_slow(cred));
error = EPERM;
- if (cred->cr_uid == 0 && suser_enabled)
+ if (cred->cr_uid == 0 && suser_enabled(cred))
error = 0;
return (error);
}
@@ -294,7 +346,7 @@
return (EAGAIN);
error = EPERM;
- if (cred->cr_uid == 0 && suser_enabled)
+ if (cred->cr_uid == 0 && suser_enabled(cred))
error = 0;
return (error);
}
@@ -313,7 +365,7 @@
goto out;
}
- if (cred->cr_uid == 0 && suser_enabled) {
+ if (cred->cr_uid == 0 && suser_enabled(cred)) {
error = 0;
goto out;
}
@@ -334,7 +386,7 @@
return (priv_check_cred_vfs_generation_slow(cred));
error = EPERM;
- if (!jailed(cred) && cred->cr_uid == 0 && suser_enabled)
+ if (!jailed(cred) && cred->cr_uid == 0 && suser_enabled(cred))
error = 0;
return (error);
}
Index: head/sys/sys/jail.h
===================================================================
--- head/sys/sys/jail.h
+++ head/sys/sys/jail.h
@@ -232,9 +232,10 @@
#define PR_ALLOW_MLOCK 0x00000080
#define PR_ALLOW_READ_MSGBUF 0x00000100
#define PR_ALLOW_UNPRIV_DEBUG 0x00000200
+#define PR_ALLOW_SUSER 0x00000400
#define PR_ALLOW_RESERVED_PORTS 0x00008000
#define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */
-#define PR_ALLOW_ALL_STATIC 0x000183ff
+#define PR_ALLOW_ALL_STATIC 0x000187ff
/*
* PR_ALLOW_DIFFERENCES determines which flags are able to be
Index: head/usr.sbin/jail/jail.8
===================================================================
--- head/usr.sbin/jail/jail.8
+++ head/usr.sbin/jail/jail.8
@@ -25,7 +25,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd May 14, 2020
+.Dd November 18, 2020
.Dt JAIL 8
.Os
.Sh NAME
@@ -587,6 +587,13 @@
The jail root may bind to ports lower than 1024.
.It Va allow.unprivileged_proc_debug
Unprivileged processes in the jail may use debugging facilities.
+.It Va allow.suser
+The value of the jail's
+.Va security.bsd.suser_enabled
+sysctl.
+The super-user will be disabled automatically if its parent system has it
+disabled.
+The super-user is enabled by default.
.El
.El
.Pp
@@ -1267,6 +1274,7 @@
environment, only the jail environment.
These variables are
.Va kern.securelevel ,
+.Va security.bsd.suser_enabled ,
.Va kern.hostname ,
.Va kern.domainname ,
.Va kern.hostid ,

File Metadata

Mime Type
text/plain
Expires
Fri, Feb 6, 4:35 PM (6 h, 8 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
28449156
Default Alt Text
D27128.id79728.diff (6 KB)

Event Timeline