D27128.id79356.diff
No OneTemporary
Actions

Size

6 KB

Referenced Files

None

Subscribers

None

D27128.id79356.diff
View Options

	Index: sys/kern/kern_jail.c
	===================================================================
	--- sys/kern/kern_jail.c
	+++ sys/kern/kern_jail.c
	@@ -99,22 +99,23 @@

	/* prison0 describes what is "real" about the system. */
	struct prison prison0 = {
	- .pr_id = 0,
	- .pr_name = "0",
	- .pr_ref = 1,
	- .pr_uref = 1,
	- .pr_path = "/",
	- .pr_securelevel = -1,
	- .pr_devfs_rsnum = 0,
	- .pr_childmax = JAIL_MAX,
	- .pr_hostuuid = DEFAULT_HOSTUUID,
	- .pr_children = LIST_HEAD_INITIALIZER(prison0.pr_children),
	+ .pr_id = 0,
	+ .pr_name = "0",
	+ .pr_ref = 1,
	+ .pr_uref = 1,
	+ .pr_path = "/",
	+ .pr_securelevel = -1,
	+ .pr_suser_enabled = 1,
	+ .pr_devfs_rsnum = 0,
	+ .pr_childmax = JAIL_MAX,
	+ .pr_hostuuid = DEFAULT_HOSTUUID,
	+ .pr_children = LIST_HEAD_INITIALIZER(prison0.pr_children),
	#ifdef VIMAGE
	- .pr_flags = PR_HOST\|PR_VNET\|_PR_IP_SADDRSEL,
	+ .pr_flags = PR_HOST\|PR_VNET\|_PR_IP_SADDRSEL,
	#else
	- .pr_flags = PR_HOST\|_PR_IP_SADDRSEL,
	+ .pr_flags = PR_HOST\|_PR_IP_SADDRSEL,
	#endif
	- .pr_allow = PR_ALLOW_ALL_STATIC,
	+ .pr_allow = PR_ALLOW_ALL_STATIC,
	};
	MTX_SYSINIT(prison0, &prison0.pr_mtx, "jail mutex", MTX_DEF);

	@@ -518,8 +519,8 @@
	size_t namelen, onamelen, pnamelen;
	int born, created, cuflags, descend, enforce;
	int error, errmsg_len, errmsg_pos;
	- int gotchildmax, gotenforce, gothid, gotrsnum, gotslevel;
	- int jid, jsys, len, level;
	+ int gotchildmax, gotenforce, gothid, gotrsnum, gotslevel, gotsuser;
	+ int jid, jsys, len, level, suser;
	int childmax, osreldt, rsnum, slevel;
	#if defined(INET) \|\| defined(INET6)
	int ii, ij;
	@@ -588,6 +589,14 @@
	else
	gotslevel = 1;

	+ error = vfs_copyopt(opts, "suser_enabled", &suser, sizeof(suser));
	+ if (error == ENOENT)
	+ gotsuser = 0;
	+ else if (error != 0)
	+ goto done_free;
	+ else
	+ gotsuser = 1;
	+
	error =
	vfs_copyopt(opts, "children.max", &childmax, sizeof(childmax));
	if (error == ENOENT)
	@@ -1270,6 +1279,7 @@
	pr->pr_flags \|= _PR_IP_SADDRSEL;

	pr->pr_securelevel = ppr->pr_securelevel;
	+ pr->pr_suser_enabled = ppr->pr_suser_enabled;
	pr->pr_allow = JAIL_DEFAULT_ALLOW & ppr->pr_allow;
	pr->pr_enforce_statfs = jail_default_enforce_statfs;
	pr->pr_devfs_rsnum = ppr->pr_devfs_rsnum;
	@@ -1348,6 +1358,12 @@
	goto done_deref_locked;
	}
	}
	+ if (gotsuser) {
	+ if (suser > ppr->pr_suser_enabled) {
	+ error = EPERM;
	+ goto done_deref_locked;
	+ }
	+ }
	if (gotchildmax) {
	if (childmax >= ppr->pr_childmax) {
	error = EPERM;
	@@ -1637,6 +1653,13 @@
	if (tpr->pr_securelevel < slevel)
	tpr->pr_securelevel = slevel;
	}
	+ if (gotsuser) {
	+ pr->pr_suser_enabled = suser;
	+ /* Pass this restriction on to the children. */
	+ FOREACH_PRISON_DESCENDANT_LOCKED(pr, tpr, descend)
	+ if (tpr->pr_suser_enabled != suser)
	+ tpr->pr_suser_enabled = suser;
	+ }
	if (gotchildmax) {
	pr->pr_childmax = childmax;
	/* Set all child jails to under this limit. */
	@@ -2070,6 +2093,10 @@
	sizeof(pr->pr_securelevel));
	if (error != 0 && error != ENOENT)
	goto done_deref;
	+ error = vfs_setopt(opts, "suser_enabled", &pr->pr_suser_enabled,
	+ sizeof(pr->pr_suser_enabled));
	+ if (error != 0 && error != ENOENT)
	+ goto done_deref;
	error = vfs_setopt(opts, "children.cur", &pr->pr_childcount,
	sizeof(pr->pr_childcount));
	if (error != 0 && error != ENOENT)
	@@ -3739,6 +3766,8 @@
	SYSCTL_JAIL_PARAM_STRING(, path, CTLFLAG_RDTUN, MAXPATHLEN, "Jail root path");
	SYSCTL_JAIL_PARAM(, securelevel, CTLTYPE_INT \| CTLFLAG_RW,
	"I", "Jail secure level");
	+SYSCTL_JAIL_PARAM(, suser_enabled, CTLTYPE_INT \| CTLFLAG_RW,
	+ "I", "Process in jail with uid 0 have privilege");
	SYSCTL_JAIL_PARAM(, osreldate, CTLTYPE_INT \| CTLFLAG_RDTUN, "I",
	"Jail value for kern.osreldate and uname -K");
	SYSCTL_JAIL_PARAM_STRING(, osrelease, CTLFLAG_RDTUN, OSRELEASELEN,
	@@ -4171,6 +4200,7 @@
	#endif
	db_printf(" root = %p\n", pr->pr_root);
	db_printf(" securelevel = %d\n", pr->pr_securelevel);
	+ db_printf(" suser_enabled = %d\n", pr->pr_suser_enabled);
	db_printf(" devfs_rsnum = %d\n", pr->pr_devfs_rsnum);
	db_printf(" children.max = %d\n", pr->pr_childmax);
	db_printf(" children.cur = %d\n", pr->pr_childcount);
	Index: sys/kern/kern_priv.c
	===================================================================
	--- sys/kern/kern_priv.c
	+++ sys/kern/kern_priv.c
	@@ -71,6 +71,16 @@
	SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv__ok, "int");
	SDT_PROBE_DEFINE1(priv, kernel, priv_check, priv__err, "int");

	+static bool
	+priv_jail_suser_enabled(struct ucred *cred)
	+{
	+
	+ if (!jailed(cred))
	+ return (true);
	+
	+ return (cred->cr_prison->pr_suser_enabled == 1);
	+}
	+
	static __always_inline int
	priv_check_cred_pre(struct ucred *cred, int priv)
	{
	@@ -186,7 +196,7 @@
	* superuser policy to be globally disabled, although this is
	* currenty of limited utility.
	*/
	- if (suser_enabled) {
	+ if (suser_enabled && priv_jail_suser_enabled(cred)) {
	switch (priv) {
	case PRIV_MAXFILES:
	case PRIV_MAXPROC:
	Index: sys/sys/jail.h
	===================================================================
	--- sys/sys/jail.h
	+++ sys/sys/jail.h
	@@ -179,6 +179,7 @@
	int pr_childmax; /* (p) maximum child jails */
	unsigned pr_allow; /* (p) PR_ALLOW_* flags */
	int pr_securelevel; /* (p) securelevel */
	+ int pr_suser_enabled; /* (c) suser enabled */
	int pr_enforce_statfs; /* (p) statfs permission */
	int pr_devfs_rsnum; /* (p) devfs ruleset */
	int pr_spare[3];
	Index: usr.sbin/jail/config.c
	===================================================================
	--- usr.sbin/jail/config.c
	+++ usr.sbin/jail/config.c
	@@ -120,6 +120,7 @@
	[KP_PATH] = {"path", 0},
	[KP_PERSIST] = {"persist", 0},
	[KP_SECURELEVEL] = {"securelevel", 0},
	+ [KP_SUSER_ENABLED] = {"suser_enabled", 0},
	[KP_VNET] = {"vnet", 0},
	};

	Index: usr.sbin/jail/jail.8
	===================================================================
	--- usr.sbin/jail/jail.8
	+++ usr.sbin/jail/jail.8
	@@ -25,7 +25,7 @@
	.\"
	.\" $FreeBSD$
	.\"
	-.Dd May 14, 2020
	+.Dd November 6, 2020
	.Dt JAIL 8
	.Os
	.Sh NAME
	@@ -413,6 +413,12 @@
	setting this parameter it may have a higher one.
	If the system securelevel is changed, any jail securelevels will be at
	least as secure.
	+.It Va suser_enable
	+The value of the jail's
	+.Va security.bsd.suser_enabled
	+sysctl.
	+The suser_enabled will be disabled automatically if its parent system has it
	+disabled.
	.It Va devfs_ruleset
	The number of the devfs ruleset that is enforced for mounting devfs in
	this jail.
	Index: usr.sbin/jail/jailp.h
	===================================================================
	--- usr.sbin/jail/jailp.h
	+++ usr.sbin/jail/jailp.h
	@@ -135,6 +135,7 @@
	KP_PATH,
	KP_PERSIST,
	KP_SECURELEVEL,
	+ KP_SUSER_ENABLED,
	KP_VNET,
	IP_NPARAM
	};

File Metadata

Mime Type: text/plain
Expires: Sat, May 23, 12:01 PM (3 h, 57 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 33446118
Default Alt Text: D27128.id79356.diff (6 KB)

D27128.id79356.diffNo OneTemporaryActions

D27128.id79356.diffView Options

File Metadata

Event Timeline

D27128.id79356.diff
No OneTemporary
Actions

D27128.id79356.diff
View Options