From owner-freebsd-jail@freebsd.org Fri Nov 27 05:04:29 2020 Return-Path: <owner-freebsd-jail@freebsd.org> Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0E63747CEF4; Fri, 27 Nov 2020 05:04:29 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Cj2bw6q0rz4b3C; Fri, 27 Nov 2020 05:04:28 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from mail-qk1-f174.google.com (mail-qk1-f174.google.com [209.85.222.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) (Authenticated sender: kevans) by smtp.freebsd.org (Postfix) with ESMTPSA id D852A293DD; Fri, 27 Nov 2020 05:04:28 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: by mail-qk1-f174.google.com with SMTP id x25so3434308qkj.3; Thu, 26 Nov 2020 21:04:28 -0800 (PST) X-Gm-Message-State: AOAM533kPKvIdL+qldjOIlRRJUqvF8cM+XjK+sIwOxWKe++YdxF7z92j 8J4NiQqp8Dh4Ibr/q9dz32XNc6JRK982fWeEVP8= X-Google-Smtp-Source: ABdhPJxlkh6mA3c4sZnghdfJ8mFhjgAtHtO7tAvTV5dRAPiCpuTVFNbC41qd2SROTd80g2h3UllI/b6tsAsqVkDw+h4= X-Received: by 2002:a37:9ecc:: with SMTP id h195mr6748565qke.103.1606453468362; Thu, 26 Nov 2020 21:04:28 -0800 (PST) MIME-Version: 1.0 From: Kyle Evans <kevans@freebsd.org> Date: Thu, 26 Nov 2020 23:04:17 -0600 X-Gmail-Original-Message-ID: <CACNAnaEKoBppjG8HH0KgYQv0EHPUcHmB3teyw1PQrjG3xsbXYQ@mail.gmail.com> Message-ID: <CACNAnaEKoBppjG8HH0KgYQv0EHPUcHmB3teyw1PQrjG3xsbXYQ@mail.gmail.com> Subject: RFC: Jail privsets To: freebsd-jail <freebsd-jail@freebsd.org>, "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org> Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-jail>, <mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail/> List-Post: <mailto:freebsd-jail@freebsd.org> List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-jail>, <mailto:freebsd-jail-request@freebsd.org?subject=subscribe> X-List-Received-Date: Fri, 27 Nov 2020 05:04:29 -0000 (Cross-posting to -arch and -jail for maximum reach) Hi, A couple of times recently, I've had a need or desire to increase or decrease privileges available to jails I create to some extent. You can write a MAC policy for this, but at some point the downsides of MAC policies for this became clear: it's either non-trivial to allow the kind of flexibility you may need in configuring some of these jails, and you have to rebuild the module otherwise. I've got a generally functional patch at [1] that is an approach I'd like to request comments on for refining jail privileges. It creates a privset that can be assigned on a per-jail basis, and a creator with PRIV_JAIL_SETPRIVS can specify any privset mask that's a subset of the parent prison. If no privset was specified at creation time, then we use the default logic that was previously in prison_priv_check(). prison_priv_check() has been replaced with a much simpler check of the prison's privset for the given privilege. As I was writing this, I identified the first problem with it: it doesn't currently respond to ALLOW_* updates and grant the appropriate privileges after initialization time -- this is a pretty easy fix, and I will do so if anyone else finds this useful. The other caveat is that I have no idea if there's a useful way to expose this to jail(8) users, but they're not really the primary target for this -- the primary target is system application developers that want more fine control over what a jail they're creating can do. This is an excellent foot-gun, but with great power comes great responsibility. Thanks, Kyle Evans [1] https://people.freebsd.org/~kevans/privset.diff