Page MenuHomeFreeBSD
Feed Advanced Search

Mon, Nov 23

jamie accepted D27297: [1/2] kern: cpuset: allow cpuset_create() to take an allocated *setp.
Mon, Nov 23, 9:36 PM
jamie accepted D27298: [2/2] kern: cpuset: properly rebase when attaching to a jail.
Mon, Nov 23, 9:36 PM
jamie added a comment to D27298: [2/2] kern: cpuset: properly rebase when attaching to a jail.

As I had hoped, it took away the expected problem of attaching to a jail (when the process doesn't have its own visible cpuset), and ending up with the process still having its old root cpuset (though under a new anonymous masked bit). That was the real problem I see with the current setup (not that what I didn't see aren't problems as well, but at least there was something I noticed ;-).

Mon, Nov 23, 5:50 AM

Fri, Nov 13

jamie accepted D27128: jail: introduce per jail suser_enabled setting.

It looks to be working correctly on a quick run-through.

Fri, Nov 13, 11:58 PM
jamie added inline comments to D27128: jail: introduce per jail suser_enabled setting.
Fri, Nov 13, 8:34 PM

Thu, Nov 12

jamie added inline comments to D27128: jail: introduce per jail suser_enabled setting.
Thu, Nov 12, 10:38 PM
jamie added a comment to D27178: Summary:Allow PRIV_IO and PRIV_KMEM_WRITE to allow bhyve pci passthrough to work inside jails..

It looks like you can just include "security" which will get the security team's attention. But first, I suggest you need to at least put in what r216266 had (the allow.kmem privilege).

Thu, Nov 12, 5:31 PM
jamie added a comment to D27178: Summary:Allow PRIV_IO and PRIV_KMEM_WRITE to allow bhyve pci passthrough to work inside jails..

I don't think this will go anywhere. There was an attempt to do this a while ago, with a new jail parameter allow.kmem (default not allowed) to not let it happen accidentally. Even with that, it fell flat - see commits r261266 and r261326. While I'm not against it myself, I don't wear a security hat, and I defer to those that do.

Thu, Nov 12, 1:21 AM

Mon, Nov 9

jamie added a comment to D27128: jail: introduce per jail suser_enabled setting.

BTW I used allow.suser in my example, but of course it could as easily be allow.suser_enabled. To me the "allow" and "enabled" sound redundant together, but allow.suser_enabled still might be a better name because it's the same as security.bsd.suser_enabled. So either choice is fine.

Mon, Nov 9, 9:28 PM
jamie added a comment to D27128: jail: introduce per jail suser_enabled setting.

Sorry, I'm really hope I'm not enjoying. Correct me if I'm wrong, I'm very new to this code.
The allow.* is something that we enable in jail. For example we are enabling raw sockets.
In case of suser (at least in my code) the suser by default is enabled (set to 1), and we would like to have option to be explicite disable.
I think this is additional protection that user may want but it can really limit usability of the jails (a lot of things doesn't work like setuid, chroot, initgroups etc.).
So at least for me the allow.* flags suggest that we are giving additional permission but actually we would like to disallow something.
This is why I was looking more into the 'securelevel' then 'allow.*' flags.

Or are you suggesting that the suser by default was disabled, and we enable it per jail? But this won't be something to annoying?

Mon, Nov 9, 9:23 PM
jamie added a comment to D27128: jail: introduce per jail suser_enabled setting.

On the subject of a jail being able to clear (and only clear) its own suser_enabled bit via sysctl, I think the static suser_enabled variable in kern_priv.c is redundant. You already have something in prison0 which does the same job. Removing the redundant variable would add a touch of complexity, in that the sysctl would need code to change the child jails. But I think that's cleaner than having a similar (but not quite the same) value in two different places.

Mon, Nov 9, 8:51 PM
jamie added a comment to D27128: jail: introduce per jail suser_enabled setting.

If I understand correctly - the allow.* and the suser has a reverted values. You can disable suser, which by default is enabled. I wanted to made it exactly the same as sysctl on the hosts system, but I don't have strong opinion here.
I'm not sure if I understand. Do you suggest to have allow.suser which allow you to change the suser sysctl?
There should be no possibility to get back the suser priviliged inside the jail.
In the scenario I tested you can give/retrieve the suser from the host.

Mon, Nov 9, 8:43 PM
jamie added a comment to D27128: jail: introduce per jail suser_enabled setting.

can you elaborate on what that rare case of wanting to regain suser ability?

Mon, Nov 9, 8:18 PM
jamie added a comment to D27128: jail: introduce per jail suser_enabled setting.

I may be handy to allow jailed root to control its own security.bsd.suser_enabled.

Mon, Nov 9, 5:57 PM
jamie added a comment to D27128: jail: introduce per jail suser_enabled setting.

I would prefer allow.suser instead of suser_enabled. It's the logical place for such flags, and you can take advantage of existing code that manages disallowing adding a permission the parent lacks, and passing the restriction on to child jails. Then much of this diff can be collapsed into adding to pr_flag_allow, JAIL_DEFAULT_ALLOW, and SYSCTL_JAIL_PARAM(_allow, ...).

Mon, Nov 9, 5:50 PM

Oct 26 2020

jamie added a comment to D26957: sockstat: chdir to jail path before attaching to vnet jail.

Yes, I imagine that's all it needs.

Oct 26 2020, 5:46 PM
jamie added a comment to D26957: sockstat: chdir to jail path before attaching to vnet jail.

Or is it significant enough to just fix a syscall? There's no good reason to attach to a jail while not being inside its directory structure, and I don't know of any program that depends on such a misfeature.

Oct 26 2020, 5:14 PM

Oct 14 2020

jamie added inline comments to D26782: Allow PING(8) in jails without raw socket access permissions.
Oct 14 2020, 6:38 PM
jamie added a comment to D26782: Allow PING(8) in jails without raw socket access permissions.

You've added an optional permission bit, but there's no option to change it. If it would make sense to allow it to all jails, there's no need for PR_ALLOW_ICMP_ACCESS. If it would make sense to restrict to some jails, there needs to be a matching jail.allow parameter, as defined in kern_jail.c's pr_flag_allow array and SYSCTL_JAIL_PARAM(_allow, ...).

Oct 14 2020, 6:35 PM

Sep 4 2020

jamie committed rS365321: MFC r364970:.
MFC r364970:
Sep 4 2020, 12:24 AM
jamie committed rS365320: MFC r364850:.
MFC r364850:
Sep 4 2020, 12:22 AM

Aug 30 2020

jamie added a comment to D25560: Fix a lock order reversal during jail/vnet creation.

The patch looks good to me, but I'm unable to get that LOR on an unpatched system. Has something been fixed in the meantime?

Aug 30 2020, 12:09 AM

Aug 29 2020

jamie committed rS364970: Add __BEGIN_DECLS to jail.h to keep C++ happy..
Add __BEGIN_DECLS to jail.h to keep C++ happy.
Aug 29 2020, 10:24 PM
jamie committed rS364969: Fix a null dereference when debug.disablefullpath=1 and jail created.
Fix a null dereference when debug.disablefullpath=1 and jail created
Aug 29 2020, 10:09 PM

Aug 27 2020

jamie committed rS364874: Disregard jails in jail.conf that have bad parameters (parameter/variable.
Disregard jails in jail.conf that have bad parameters (parameter/variable
Aug 27 2020, 5:05 PM
jamie committed rS364850: Don't allow jail.conf variables to have the same names as jail parameters..
Don't allow jail.conf variables to have the same names as jail parameters.
Aug 27 2020, 12:17 AM

Aug 26 2020

jamie committed rS364828: Back out r364791 to unbreak jails. Lesson learned: "compile and test" means.
Back out r364791 to unbreak jails. Lesson learned: "compile and test" means
Aug 26 2020, 6:35 PM
jamie committed rS364791: Handle jail.conf variables that have the same names as parameters..
Handle jail.conf variables that have the same names as parameters.
Aug 26 2020, 12:43 AM

May 29 2020

jamie added a comment to D25041: Add jail_attach2 syscall.

I'll try the jail_set approach.

May 29 2020, 5:03 PM
jamie added a comment to D25041: Add jail_attach2 syscall.

Considering jail_set(2) can also attach with the JAIL_ATTACH flag, it would be handy to put these new flags in the same space, with a JAIL_ATTACH_MASK including them. Then the attaching done by jail_set can also do the right thing if it chooses.

May 29 2020, 1:05 AM

May 14 2020

jamie accepted D24829: jail: Add exec.prepare and exec.release command hooks.
May 14 2020, 8:10 PM

May 13 2020

jamie added a comment to D24829: jail: Add exec.prepare and exec.release command hooks.

Might it also be useful to include something similar on the stop side, run after taking down the IP addresses? I can't think of a use offhand, unless one wants to leave absolutely no trace of jails, and remove everything that was added in exec.prepare.

May 13 2020, 8:46 PM
jamie added a comment to D24829: jail: Add exec.prepare and exec.release command hooks.

It would make sense for this to be two separate commits - one for the reordering of IP_*.

May 13 2020, 8:43 PM

May 7 2020

jamie added a comment to D24745: jail(8): ignore SIGINT.

There's a "right thing" to do on SIGINT, though it's not immediately obvious what that is. In the jail creation process, it would make sense to clean up a partially created jail, probably in conjunction with letting the jailed processes handle their own SIGINT. But that's not quite the same as just ignoring it, because there are other cases:

May 7 2020, 4:24 PM

May 1 2020

jamie added a comment to D9649: ifconfig(8) and route(8) should be able to manage vnet configurations from prison0.

If jail_attach(2) doesn't leave a process sufficiently jailed to the point that it can be used for jailbreak, that's a bug in jail_attach that should be fixed.

May 1 2020, 2:39 PM · network

Apr 24 2020

jamie accepted D24413: sockstat: Attach to jail if in new vnet.

Looks good!

Apr 24 2020, 3:50 PM

Apr 23 2020

jamie added a comment to D24413: sockstat: Attach to jail if in new vnet.

It may be a better user interface if "-j" automatically did the right thing - limit output to the specified jail for traditional jails, and attach to vnet jails. So after the jail_getid(), a jail_get() or jail_getv() to fetch the jail's vnet parameter. Then the jail_attach() can happen if the vnet is JAIL_SYS_NEW.

Apr 23 2020, 8:12 PM

Apr 14 2020

jamie accepted D24288: Allow hostuuid to be preloaded for early-boot use.
Apr 14 2020, 3:56 PM

Apr 6 2020

jamie added inline comments to D24288: Allow hostuuid to be preloaded for early-boot use.
Apr 6 2020, 10:08 PM

Sep 5 2019

jamie accepted D21328: [jail] removal by jid doesn't trigger pre/post stop scripts.

Aside from a few trailing whitespaces, this all looks good to me.

Sep 5 2019, 10:10 PM

Jun 18 2019

jamie committed rS349180: Unmount filesystems on jail removal with "-f", to get around a situation.
Unmount filesystems on jail removal with "-f", to get around a situation
Jun 18 2019, 11:49 PM

May 23 2019

jamie accepted D20388: jail_getid(3): validate jid string input.

Tested with ps and jexec, passing jail name and jid, and with numerically and non-numerically named jails. All's good :-).

May 23 2019, 10:46 PM

Nov 27 2018

jamie committed rS341084: In hardened systems, where the security.bsd.unprivileged_proc_debug sysctl.
In hardened systems, where the security.bsd.unprivileged_proc_debug sysctl
Nov 27 2018, 5:53 PM
jamie closed D18319: Make security.bsd.unprivileged_proc_debug per-jail.
Nov 27 2018, 5:53 PM
jamie updated the diff for D18319: Make security.bsd.unprivileged_proc_debug per-jail.

New jails are now created with the unprivileged_proc_debug bit inherited from the parent unless otherwise specified.

Nov 27 2018, 5:22 PM
jamie commandeered D18319: Make security.bsd.unprivileged_proc_debug per-jail.

Huh - so I can. I didn't know of (or even suspect) such a possibility.

Nov 27 2018, 5:19 PM
jamie added a comment to D18319: Make security.bsd.unprivileged_proc_debug per-jail.

Sorry for a post-acceptance note, but on trying it out I noticed that jails are created by default with allow.nounprivileged_proc_debug. That's an easy fix - the bit needs to be added to PW_DEFAULT_ALLOW in kern_jail.h. I'm apparently unable to change the diff in this revision, so instead of creating a new revision I'll just mention that's what I'll be committing.

Nov 27 2018, 3:50 AM

Nov 24 2018

jamie accepted D18319: Make security.bsd.unprivileged_proc_debug per-jail.
Nov 24 2018, 11:52 PM
jamie added a comment to D18319: Make security.bsd.unprivileged_proc_debug per-jail.

Because of this, having the check in sys/kern/kern_priv.c is the right place. There's no real need to duplicate the logic to prison_priv_check. I can still add it, if you want, but I believe it would be a waste of cycles.

Nov 24 2018, 9:39 PM
jamie added a comment to D18319: Make security.bsd.unprivileged_proc_debug per-jail.

priv_check_cred() in kern_priv.c isn't the right place to make the check, but prison_priv_check() in kern_jail.c. PRIV_DEBUG_UNPRIV is already in that function's list, in the part that lets jails do things, and it needs to be moved to the bottom part of the function where you'll see a number of other cases where a certain privilege checks a certain pr_allow bit.

Nov 24 2018, 4:56 AM
jamie added a comment to D18319: Make security.bsd.unprivileged_proc_debug per-jail.

Then the jail must simply obey the existing state of unprivileged process debugging. We could go that route, but I wanted to make it flexible. I think setting CTLFLAG_SECURE is a good compromise between flexibility and security.

Nov 24 2018, 12:29 AM
jamie added a comment to D18319: Make security.bsd.unprivileged_proc_debug per-jail.

OK, if the jail needs to have that bit set before anything is run, then yes it needs to be a parameter.

Nov 24 2018, 12:19 AM

Nov 23 2018

jamie added a comment to D18319: Make security.bsd.unprivileged_proc_debug per-jail.

Since this bit is under the full control of the prison itself, does it belong in pr_allow? On the plus side, that lets the system create a jail with this turned on, but that can be just as easily done in the jail's sysctl.conf. It's something of a departure from the idea of this being something the jail is or isn't allowed to do. If you forgo the ability to set it as a jail parameter, then the bit can go into pr_flags and you won't have to bother noting which PR_ALLOW bits are allowed to be set .

Nov 23 2018, 11:53 PM

Nov 10 2018

jamie accepted D17929: libjail: fix handling of allow.mount.fusefs in jailparam_init.
Nov 10 2018, 2:47 AM
jamie added inline comments to D17929: libjail: fix handling of allow.mount.fusefs in jailparam_init.
Nov 10 2018, 2:18 AM
jamie added a comment to D17929: libjail: fix handling of allow.mount.fusefs in jailparam_init.

It's allow.mount.nofusefs. It should (currently) work once the kld is loaded, but the new strcmp will need to be added to make it work before it's loaded.

Nov 10 2018, 2:17 AM
jamie added a comment to D17929: libjail: fix handling of allow.mount.fusefs in jailparam_init.

It works with allow.mount.fusefs, but not with allow.mount.nofusefs (which will still try to kldload "fusefs"). Comparing the fs name to both "fusefs" and "nofusefs" should be all that's needed.

Nov 10 2018, 12:34 AM

Oct 20 2018

jamie committed rS339446: MFC r339409, r339420:.
MFC r339409, r339420:
Oct 20 2018, 4:21 PM

Oct 18 2018

jamie committed rS339420: Fix typos from r339409..
Fix typos from r339409.
Oct 18 2018, 3:03 PM

Oct 17 2018

jamie committed rS339411: MFC r339211:.
MFC r339211:
Oct 17 2018, 4:18 PM
jamie committed rS339410: MFC r339211:.
MFC r339211:
Oct 17 2018, 4:18 PM
jamie committed rS339409: Add a new jail permission, allow.read_msgbuf. When true, jailed processes.
Add a new jail permission, allow.read_msgbuf. When true, jailed processes
Oct 17 2018, 4:12 PM

Oct 6 2018

jamie committed rS339211: Fix the test prohibiting jails from sharing IP addresses..
Fix the test prohibiting jails from sharing IP addresses.
Oct 6 2018, 2:10 AM

Aug 20 2018

jamie committed rS338091: MFC r337867:.
MFC r337867:
Aug 20 2018, 5:33 AM
jamie committed rS338090: MFC r337867:.
MFC r337867:
Aug 20 2018, 5:33 AM

Aug 16 2018

jamie committed rS337925: Revert r337922, except for some documention-only bits. This needs to wait.
Revert r337922, except for some documention-only bits. This needs to wait
Aug 16 2018, 7:09 PM
jamie committed rS337922: Put jail(2) under COMPAT_FREEBSD11. It has been the "old" way of creating.
Put jail(2) under COMPAT_FREEBSD11. It has been the "old" way of creating
Aug 16 2018, 6:40 PM
jamie committed rS337919: security.jail.enforce_statfs is handled by jail_set(2), so handling it in.
security.jail.enforce_statfs is handled by jail_set(2), so handling it in
Aug 16 2018, 6:31 PM
jamie closed D14791: Remove deprecated jail global permission sysctls, and make jail(2) COMPAT_FREEBSD11.
Aug 16 2018, 6:31 PM · committers

Aug 15 2018

jamie committed rS337880: Load filesystem modules associated with allow.mount permissions..
Load filesystem modules associated with allow.mount permissions.
Aug 15 2018, 10:33 PM
jamie committed rS337879: Load filesystem modules associated with allow.mount permissions..
Load filesystem modules associated with allow.mount permissions.
Aug 15 2018, 10:32 PM
jamie committed rS337876: MFC r331332:.
MFC r331332:
Aug 15 2018, 9:38 PM
jamie committed rS337875: MFC r331332:.
MFC r331332:
Aug 15 2018, 9:38 PM
jamie committed rS337867: Don't let clobber jailparam values when checking for modification of.
Don't let clobber jailparam values when checking for modification of
Aug 15 2018, 8:23 PM

Aug 14 2018

jamie updated the diff for D14791: Remove deprecated jail global permission sysctls, and make jail(2) COMPAT_FREEBSD11.

I'm keeping the sysctls around, though without COMPAT_FREEBSD11 (or with BURN_BRIDGES), they're read-only. This preserves the expected behavior for programs that want to find out what they're allowed to do before attempting it (e.g. rc.d/hostname and rc.d/zfs). But they will no longer be used to set global permissions for jails.

Aug 14 2018, 3:16 PM · committers
jamie accepted D15330: jail exec.started hook.

OK, looks good with one last-minute nit: spaces in the jailp.h line where a tab should be

Aug 14 2018, 2:58 PM

Aug 12 2018

jamie added a comment to D15330: jail exec.started hook.

Yes, this is a need that has gone unanswered for a while now.

Aug 12 2018, 2:27 PM

Jul 30 2018

jamie accepted D16057: Support bhyve within a jail.
Jul 30 2018, 5:35 PM · bhyve
jamie added inline comments to D16057: Support bhyve within a jail.
Jul 30 2018, 4:46 PM · bhyve
jamie added a comment to D16057: Support bhyve within a jail.

One more thing to do: jail(8) should mention the flag. There's a section about module-specific flags where I think it would fit better than the main allow.* section.

Jul 30 2018, 2:20 AM · bhyve
jamie added inline comments to D16057: Support bhyve within a jail.
Jul 30 2018, 2:20 AM · bhyve

Jul 20 2018

jamie accepted D16371: Allow mounting FUSE filesystems in jails.

It's good to see that jail-enabling a filesystem is indeed easier now than it used to be!

Jul 20 2018, 9:32 PM

Jul 19 2018

jamie accepted D16342: Add allow.mlock to jail parameters.
Jul 19 2018, 2:58 PM

Jul 6 2018

jamie committed rS336040: MFC r335921:.
MFC r335921:
Jul 6 2018, 7:10 PM
jamie committed rS336039: MFC r335921:.
MFC r335921:
Jul 6 2018, 7:10 PM
jamie committed rS336038: Change prison_add_vfs() to the more generic prison_add_allow(), which.
Change prison_add_vfs() to the more generic prison_add_allow(), which
Jul 6 2018, 6:50 PM
jamie closed D16146: Add prison_add_allow(), for creating dynamic allow.* jail parameters.
Jul 6 2018, 6:50 PM
jamie committed rS336035: Missed a bit of doc change from r335921..
Missed a bit of doc change from r335921.
Jul 6 2018, 4:23 PM

Jul 5 2018

jamie added a comment to D16057: Support bhyve within a jail.

I've added D16146, which makes a new allow.* bit easy:

Jul 5 2018, 6:35 PM · bhyve
jamie created D16146: Add prison_add_allow(), for creating dynamic allow.* jail parameters.
Jul 5 2018, 6:33 PM
jamie added a comment to D16057: Support bhyve within a jail.

In addition to the question of where to check the permissions, there's also the issue that the allow.vmm parameter shouldn't exist in a non-VMM system. This means the SYSCTL_JAIL_PARAM should be defined in vmm_dev.c or some other vmm-related file; that way, if VMM is loaded as a module, the parameter would be attached to that module.

Jul 5 2018, 3:02 PM · bhyve

Jul 4 2018

jamie added inline comments to D16057: Support bhyve within a jail.
Jul 4 2018, 7:17 PM · bhyve

Jul 3 2018

jamie committed rS335921: Allow jail names (not just IDs) to be specified for: cpuset(1), ipfw(8),.
Allow jail names (not just IDs) to be specified for: cpuset(1), ipfw(8),
Jul 3 2018, 11:47 PM
jamie closed D16047: Allow jail names (not just IDs) to be specified for: cpuset(1), ipfw(8), sockstat(1), ugidfw(8).
Jul 3 2018, 11:47 PM

Jun 28 2018

jamie added inline comments to D16047: Allow jail names (not just IDs) to be specified for: cpuset(1), ipfw(8), sockstat(1), ugidfw(8).
Jun 28 2018, 9:26 PM
jamie created D16047: Allow jail names (not just IDs) to be specified for: cpuset(1), ipfw(8), sockstat(1), ugidfw(8).
Jun 28 2018, 4:41 PM

Jun 18 2018

jamie added inline comments to D15865: Provide process space virtualisation functionality for jails..
Jun 18 2018, 6:51 PM

May 24 2018

jamie added inline comments to D15556: Initial vps (virtual process space) framework for jails..
May 24 2018, 7:18 PM
jamie added a comment to D15556: Initial vps (virtual process space) framework for jails..

What does this buy us? What I can come up with is:

May 24 2018, 7:14 PM

May 4 2018

jamie committed rS333263: Make it easier for filesystems to count themselves as jail-enabled,.
Make it easier for filesystems to count themselves as jail-enabled,
May 4 2018, 8:54 PM