From owner-trustedbsd-discuss@freebsd.org Sun Nov 29 12:51:18 2020 Return-Path: Delivered-To: trustedbsd-discuss@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8E2794A12FC; Sun, 29 Nov 2020 12:51:18 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CkSsf3VgZz4ZGW; Sun, 29 Nov 2020 12:51:18 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mx1.sbone.de (cross.sbone.de [195.201.62.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) (Authenticated sender: bz/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 429D0231C6; Sun, 29 Nov 2020 12:51:18 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id CB2F58D4A166; Sun, 29 Nov 2020 12:51:16 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 22AE9E707C7; Sun, 29 Nov 2020 12:51:16 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id zA18_IwF1If9; Sun, 29 Nov 2020 12:51:13 +0000 (UTC) Received: from [127.0.0.1] (unknown [IPv6:fde9:577b:c1a9:4902:20d4:cd87:918b:4dde]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 841D2E707C2; Sun, 29 Nov 2020 12:51:13 +0000 (UTC) From: "Bjoern A. Zeeb" To: "Kyle Evans" , "James Gritton" Cc: freebsd-jail , freebsd-arch@freebsd.org, trustedbsd-discuss@freebsd.org Subject: Re: RFC: Jail privsets Date: Sun, 29 Nov 2020 12:51:12 +0000 X-Mailer: MailMate (2.0BETAr6151) Message-ID: In-Reply-To: References: <06F654BB-B087-4AE5-8599-E5837A85A850@FreeBSD.org> <6BA03DAD-BDCD-4A53-A80A-4B7B476B803C@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-BeenThere: trustedbsd-discuss@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Nov 2020 12:51:18 -0000 On 28 Nov 2020, at 14:39, Kyle Evans wrote: Hi, Cc: jamie explicitly as he might have thoughts as well. > Yeah, so jail sets are a little tricky, and to be honest I haven't > really thought about how to cope with common jail sets. The > complication arises because you have various allow flags that > typically default to off and turn privileges on, but your common sets > would have to include them. So, you'd probably end up with: > > privset 0: All privs available to the superuser (not considering > superuser policy just yet) > privset 1: All privs available to jails (assuming most permissive, all > allow flags on and assuming a new vnet on VIMAGE systems) > > So jails would typically inherit privset 1, but they'd have to mask > out based on vnet/allow flags out of necessity. Now, that's not > terrible, but I think we'd have to do a couple more things to reduce > maintenance burden on folks introducing privs: > > 1.) Clearly define a central table that maps pr_flags <-> privs where > there's a 1:1 mapping (most common, though PRIV_VFS_*MOUNT* are a > little more complicated) > 2.) Walk said table when we're defining privs in privset 1 > 3.) Walk said table when we're determining what to mask out > > I suspect the vnet set is large enough that we'd just have a separate > kernel-internal mask for "vnet privs". In any event, for most people, > there will be one of three places that you might touch when adding a > new priv flag or pr_flag mapping to a priv, but it should still be > obvious what you want: either you want a conditionally added flag, you > want to influence the default jail policy, or you want to change the > vnet policy. The latter two scenarios might even be a little easier, > because you don't need to wade through these gigantic switch > statements with a lot of cases to determine where you really want it > to go. I think this is all terribly too complicated. If we’ll have manageable fine-grained priv system, them retire allow and vnet checks for PRIV_* checks and be done with it. If we need new PRIV_* checks to accomplish that adding PRIV_* is semi-cheap to add. The big switch statements in kern_jail.c will go as the applied priv set will do the right thing already, which means at this point we’d have a base-system-privset, a classic-jail-privset, a vnet-jail-privset by default probably. If we want to keep allow* in jails we can probably make them compat code to adjust PRIV_* but I am not sure I’d want jail to still do that or a separate priv command (a la cpuset). Means jails become simple again and a lot of the complicate logic can drop out. >> And yes, that would indeed simplify our jail and network stack (and some >> other) >> code quite a bit. >> >> I’d love this (step-by-step or in whole right away) :-) >> > > :-) > > I'm looking to see if I can define a useful abstraction from > cpuset/domainset that would limit the amount of duplication needed for > this, then I'll post a v2 to Phabricator. There’s probably edge cases in which managing privsets will be a priv as well and we’ll probably need multiple cases: one that can still “widen” priv and one that can only copy-and-further-restrict-only. The latter probably being the default. /bz