- User Since
- Aug 3 2014, 10:29 PM (279 w, 5 d)
Sep 5 2019
Aside from a few trailing whitespaces, this all looks good to me.
Jun 18 2019
May 23 2019
Tested with ps and jexec, passing jail name and jid, and with numerically and non-numerically named jails. All's good :-).
Nov 27 2018
New jails are now created with the unprivileged_proc_debug bit inherited from the parent unless otherwise specified.
Huh - so I can. I didn't know of (or even suspect) such a possibility.
Sorry for a post-acceptance note, but on trying it out I noticed that jails are created by default with allow.nounprivileged_proc_debug. That's an easy fix - the bit needs to be added to PW_DEFAULT_ALLOW in kern_jail.h. I'm apparently unable to change the diff in this revision, so instead of creating a new revision I'll just mention that's what I'll be committing.
Nov 24 2018
priv_check_cred() in kern_priv.c isn't the right place to make the check, but prison_priv_check() in kern_jail.c. PRIV_DEBUG_UNPRIV is already in that function's list, in the part that lets jails do things, and it needs to be moved to the bottom part of the function where you'll see a number of other cases where a certain privilege checks a certain pr_allow bit.
OK, if the jail needs to have that bit set before anything is run, then yes it needs to be a parameter.
Nov 23 2018
Since this bit is under the full control of the prison itself, does it belong in pr_allow? On the plus side, that lets the system create a jail with this turned on, but that can be just as easily done in the jail's sysctl.conf. It's something of a departure from the idea of this being something the jail is or isn't allowed to do. If you forgo the ability to set it as a jail parameter, then the bit can go into pr_flags and you won't have to bother noting which PR_ALLOW bits are allowed to be set .
Nov 10 2018
It's allow.mount.nofusefs. It should (currently) work once the kld is loaded, but the new strcmp will need to be added to make it work before it's loaded.
It works with allow.mount.fusefs, but not with allow.mount.nofusefs (which will still try to kldload "fusefs"). Comparing the fs name to both "fusefs" and "nofusefs" should be all that's needed.
Oct 20 2018
Oct 18 2018
Oct 17 2018
Oct 6 2018
Aug 20 2018
Aug 16 2018
Aug 15 2018
Aug 14 2018
I'm keeping the sysctls around, though without COMPAT_FREEBSD11 (or with BURN_BRIDGES), they're read-only. This preserves the expected behavior for programs that want to find out what they're allowed to do before attempting it (e.g. rc.d/hostname and rc.d/zfs). But they will no longer be used to set global permissions for jails.
OK, looks good with one last-minute nit: spaces in the jailp.h line where a tab should be
Aug 12 2018
Yes, this is a need that has gone unanswered for a while now.
Jul 30 2018
One more thing to do: jail(8) should mention the flag. There's a section about module-specific flags where I think it would fit better than the main allow.* section.
Jul 20 2018
It's good to see that jail-enabling a filesystem is indeed easier now than it used to be!
Jul 19 2018
Jul 6 2018
Jul 5 2018
I've added D16146, which makes a new allow.* bit easy:
In addition to the question of where to check the permissions, there's also the issue that the allow.vmm parameter shouldn't exist in a non-VMM system. This means the SYSCTL_JAIL_PARAM should be defined in vmm_dev.c or some other vmm-related file; that way, if VMM is loaded as a module, the parameter would be attached to that module.
Jul 4 2018
Jul 3 2018
Jun 28 2018
Jun 18 2018
May 24 2018
What does this buy us? What I can come up with is:
May 4 2018
Mar 22 2018
Once again, this time actually updating the diff...
As suggested by bz@, I've only removed the sysctls #ifdef BURN_BRIDGES.
I have another revision in the works, D14791, which removes those deprecated global permission parameters. Since this patch works with those parameters, I would naturally adjust whichever one goes in last (provided I get away with the parameter removal).
Te latest diff, to account for the changes I committed to neaten the somewhat messy pr_allow_names/pr_allow_nonames array pairs. And I also went with bumping VFS_VERSION instead of __FreeBSD_version.
Mar 21 2018
Mar 20 2018
Mar 18 2018
The latest changes:
- Put the bits back into pr_allow. Adding pr_allow_mount only served to duplicate code.
- Make the KBI change: put a prison flag in struct vfsconf.
- Replace prison_check_vfs with a call to prison_allow (another advantage of using pr_allow).
- Use asprintf in prison_add_vfs, instead of sprintf/strdup.
- Do the right thing ifdef NO_SYSCTL_DESCR.
Mar 14 2018
I've updated the diff to:
Mar 13 2018
Yes, I could do that - there are a few unused spots in struct prison to make it easy. Then I could leave pr_allow_names pretty much alone (except removing the old static allow.mount.*).
Mar 10 2018
Feb 28 2018
Nov 13 2017
Oct 29 2017
Oct 27 2017
I'm good with it - I was just waiting for suggested changed to make it in.
Oct 25 2017
One more thing to make it complete: something in the jail(8) man page. There's a pseudo-parameters section for things that aren't part of the kernel interface, where this would belong.
Now that it's not really part of the exec system (aside from execing a program itself for convenience), exec.cpuset doesn't sound like the best name. I think cpuset.list would be good, or at least something under the cpuset.* umbrella since cpuset.id already exists.
Jul 31 2017
Jul 3 2017
Jul 2 2017
It has only exhausted 16 bits, no? I would think if you added the flag but left pr_allow as plain "unsigned" your kernel would still work.
May 17 2017
No, cr_seeotheruids() and c r_seeothergids() are fine as is. Since prison_check() comes before everything else, those don't need to worry about th prison situation. You still need the new sysctl though, for the originally identified reason.
prison_check() is required in all cases, because it covers jails that can never be seen, i.e. if you're trying to see processes in a parent jail, or a jail is trying to see the base system. The reason prison_check() does the equality test is because prison_ischild() checks for a "<" kind of relationship when we want a "<=" check.
jailed() isn't the right test. It handles someone on the host system looking at jailed users' processes, but doesn't handle the sub-jail case. If a user in p1 is looking at processes, he shouldn't see anything from p2 which is a jail under p1. Yet, both creds will show up as "jailed".
Apr 8 2017
Mar 31 2017
You don't need the KP_ALLOW_RESERVED_PORTS in jailp.h and config.c - you can just leave these files untouched. The KP_* defines are for parameters that are internally referenced somewhere within jail(8). That includes most of the allow.* parameters, only to handle back-compatibility with the security.jail.*_allowed sysctls.