Date: Thu, 26 Nov 2020 23:04:17 -0600 From: Kyle Evans <kevans@freebsd.org> To: freebsd-jail <freebsd-jail@freebsd.org>, "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org> Subject: RFC: Jail privsets Message-ID: <CACNAnaEKoBppjG8HH0KgYQv0EHPUcHmB3teyw1PQrjG3xsbXYQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
(Cross-posting to -arch and -jail for maximum reach) Hi, A couple of times recently, I've had a need or desire to increase or decrease privileges available to jails I create to some extent. You can write a MAC policy for this, but at some point the downsides of MAC policies for this became clear: it's either non-trivial to allow the kind of flexibility you may need in configuring some of these jails, and you have to rebuild the module otherwise. I've got a generally functional patch at [1] that is an approach I'd like to request comments on for refining jail privileges. It creates a privset that can be assigned on a per-jail basis, and a creator with PRIV_JAIL_SETPRIVS can specify any privset mask that's a subset of the parent prison. If no privset was specified at creation time, then we use the default logic that was previously in prison_priv_check(). prison_priv_check() has been replaced with a much simpler check of the prison's privset for the given privilege. As I was writing this, I identified the first problem with it: it doesn't currently respond to ALLOW_* updates and grant the appropriate privileges after initialization time -- this is a pretty easy fix, and I will do so if anyone else finds this useful. The other caveat is that I have no idea if there's a useful way to expose this to jail(8) users, but they're not really the primary target for this -- the primary target is system application developers that want more fine control over what a jail they're creating can do. This is an excellent foot-gun, but with great power comes great responsibility. Thanks, Kyle Evans [1] https://people.freebsd.org/~kevans/privset.diff
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACNAnaEKoBppjG8HH0KgYQv0EHPUcHmB3teyw1PQrjG3xsbXYQ>