From owner-p4-projects@FreeBSD.ORG  Sat Sep  9 10:01:46 2006
Return-Path: <owner-p4-projects@FreeBSD.ORG>
X-Original-To: p4-projects@freebsd.org
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id AD6A116A407; Sat,  9 Sep 2006 10:01:46 +0000 (UTC)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3A25716A412
	for <perforce@freebsd.org>; Sat,  9 Sep 2006 10:01:46 +0000 (UTC)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E42B643D45
	for <perforce@freebsd.org>; Sat,  9 Sep 2006 10:01:45 +0000 (GMT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k89A1jMr024243
	for <perforce@freebsd.org>; Sat, 9 Sep 2006 10:01:45 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k89A1jfo024240
	for perforce@freebsd.org; Sat, 9 Sep 2006 10:01:45 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Sat, 9 Sep 2006 10:01:45 GMT
Message-Id: <200609091001.k89A1jfo024240@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 105881 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Sep 2006 10:01:46 -0000

http://perforce.freebsd.org/chv.cgi?CH=105881

Change 105881 by rwatson@rwatson_sesame on 2006/09/09 10:01:13

	Complete privilege mapping for Jail.

Affected files ...

.. //depot/projects/trustedbsd/priv/sys/kern/kern_jail.c#3 edit

Differences ...

==== //depot/projects/trustedbsd/priv/sys/kern/kern_jail.c#3 (text+ko) ====

@@ -535,82 +535,189 @@
 		return (0);
 
 	switch (priv) {
+	/* case PRIV_ROOT: */
+	/* case PRIV_ACCT: */
+	/* case PRIV_MAXFILES: */
+	/* case PRIV_MAXPROC: */
+	case PRIV_KTRACE:
+	/* case PRIV_SETDUMPER: */
+	/* case PRIV_NFSD: */
+	/* case PRIV_REBOOT: */
+	/* case PRIV_SWAPON: */
+	/* case PRIV_SWAPOFF: */
+	/* case PRIV_MSGBUF: */
+	/* case PRIV_WITNESS: */
+	/* case PRIV_IO: */
+	/* case PRIV_KEYBOARD: */
+	/* case PRIV_DRIVER: */
+	/* case PRIV_ADJTIME: */
+	/* case PRIV_NTP_ADJTIME: */
+	/* case PRIV_CLOCK_SETTIME: */
+	/* case PRIV_SETTIMEOFDAY: */
+	/* case PRIV_SETHOSTID: */
+	/* case PRIV_SETDOMAINNAME: */
+	/* case PRIV_AUDIT_CONTROL: */
+	/* case PRIV_AUDIT_FAILSTOP: */
+	case PRIV_AUDIT_GETAUDIT:
+	case PRIV_AUDIT_SETAUDIT:
+	case PRIV_AUDIT_SUBMIT:
 	case PRIV_CRED_SETUID:
 	case PRIV_CRED_SETEUID:
 	case PRIV_CRED_SETGID:
 	case PRIV_CRED_SETEGID:
+	case PRIV_CRED_SETGROUPS:
 	case PRIV_CRED_SETREUID:
 	case PRIV_CRED_SETREGID:
 	case PRIV_CRED_SETRESUID:
 	case PRIV_CRED_SETRESGID:
-	case PRIV_CRED_SETGROUPS:
-		/*
-		 * Grant most process credential privileges, as root within a
-		 * jail can set up credentials as it sees fit.  The ability
-		 * to modify jail settings, and in particular to attach to a
-		 * jail, is not granted.
-		 */
-		return (0);
-
-	case PRIV_SIGNAL_SUGID:
-	case PRIV_SIGNAL_DIFFCRED:
+	case PRIV_SEEOTHERGIDS:
+	case PRIV_SEEOTHERUIDS:
+	case PRIV_DEBUG_DIFFCRED:
+	case PRIV_DEBUG_SUGID:
+	case PRIV_DEBUG_UNPRIV:
+	/* case PRIV_FIRMWARE_LOAD: */
+	/* case PRIV_JAIL_ATTACH: */
+	/* case PRIV_KENV_SET: */
+	/* case PRIV_KENV_UNSET: */
+	/* case PRIV_KLD_LOAD: */
+	/* case PRIV_KLD_UNLOAD: */
+	/* case PRIV_MAC_PARTITION: */
+	case PRIV_PROC_LIMIT:
 	case PRIV_PROC_SETLOGIN:
-		/*
-		 * Inter-process privileges are generally granted, since a
-		 * separate jail name space check will be performed to scope
-		 * these calls to the current jail.
-		 */
-		return (0);
-
-	case PRIV_SCHED_SETPRIORITY:
 	case PRIV_PROC_SETRLIMIT:
-		/*
-		 * Root in jail can modify resource limits and scheduler
-		 * properties as it sees fit.
-		 */
-		return (0);
 
-	case PRIV_IPC_READ:
-	case PRIV_IPC_EXEC:
-	case PRIV_IPC_WRITE:
-	case PRIV_IPC_ADMIN:
-	case PRIV_IPC_MSGSIZE:
-		/*
-		 * Grant System V IPC privileges -- we enable access to the
-		 * services using a single setting, and assume that if System
-		 * V IPC is available in the jail, privilege will be granted
-		 * to root in the jail.
-		 */
-		return (0);
-
-	case PRIV_MQ_ADMIN:
-		/*
-		 * POSIX message queue administrative privilege is granted:
-		 * if the jail can name the resource, then root in the jail
-		 * can manage it.
-		 */
-		return (0);
-
+	/* XXXRW: Not yet. */
+	/* case PRIV_IPC_READ: */
+	/* case PRIV_IPC_WRITE: */
+	/* case PRIV_IPC_EXEC: */
+	/* case PRIV_IPC_ADMIN: */
+	/* case PRIV_IPC_MSGSIZE: */
+	/* case PRIV_MQ_ADMIN: */
+	/* case PRIV_PMC_MANAGE: */
+	/* case PRIV_PMC_SYSTEM: */
+	case PRIV_SCHED_DIFFCRED:
+	/* case PRIV_SCHED_SETPRIORITY: */
+	/* case PRIV_SCHED_RTPRIO: */
+	/* case PRIV_SCHED_SETPOLICY: */
+	/* case PRIV_SCHED_SET: */
+	/* case PRIV_SCHED_SETPARAM: */
+	/* case PRIV_SEM_WRITE: */
+	case PRIV_SIGNAL_DIFFCRED:
+	case PRIV_SIGNAL_SUGID:
+	/* case PRIV_SYSCTL_DEBUG: */
+	/* case PRIV_SYSCTL_WRITE: */
+	case PRIV_SYSCTL_WRITEJAIL:
+	/* case PRIV_TTY_CONSOLE: */
+	/* case PRIV_TTY_DRAINWAIT: */
+	/* case PRIV_TTY_DTRWAIT: */
+	/* case PRIV_TTY_EXCLUSIVE: */
+	/* case PRIV_TTY_PRISON: */
+	/* case PRIV_TTY_STI: */
+	/* case PRIV_TTY_SETA: */
+	/* case PRIV_UFS_EXTATTRCTL: */
+	case PRIV_UFS_GETQUOTA:
+	case PRIV_UFS_QUOTAOFF:		/* XXXRW: Slightly surprising. */
+	case PRIV_UFS_QUOTAON:		/* XXXRW: Slightly surprising. */
+	case PRIV_UFS_SETQUOTA:
+	case PRIV_UFS_SETUSE:		/* XXXRW: Slightly surprising. */
+	/* case PRIV_UFS_EXCEEDQUOTA: */
 	case PRIV_VFS_READ:
 	case PRIV_VFS_WRITE:
+	case PRIV_VFS_ADMIN:
 	case PRIV_VFS_EXEC:
-	case PRIV_VFS_ADMIN:
 	case PRIV_VFS_LOOKUP:
-		/*
-		 * In general, grant file permission exemption in VFS, but
-		 * not the right to manipulate the name space (mounting,
-		 * chroot, etc).
-		 */
+	case PRIV_VFS_BLOCKRESERVE:	/* XXXRW: Slightly surprising. */
+	case PRIV_VFS_CHFLAGS_DEV:
+	case PRIV_VFS_CHOWN:
+	case PRIV_VFS_CHROOT:
+	case PRIV_VFS_CLEARSUGID:
+	/* case PRIV_VFS_EXTATTR_SYSTEM: */
+	case PRIV_VFS_FCHROOT:
+	/* case PRIV_VFS_FHOPEN: */
+	/* case PRIV_VFS_FHSTAT: */
+	/* case PRIV_VFS_FHSTATFS: */
+	/* case PRIV_VFS_GENERATION: */
+	/* case PRIV_VFS_GETFH: */
+	case PRIV_VFS_LINK:
+	/* case PRIV_VFS_MKNOD_DEV: */
+	/* case PRIV_VFS_MOUNT: */
+	/* case PRIV_VFS_MOUNT_OWNER: */
+	/* case PRIV_VFS_MOUNT_EXPORTED: */
+	/* case PRIV_VFS_MOUNT_PERM: */
+	/* case PRIV_VFS_MOUNT_SUIDDIR: */
+	case PRIV_VFS_SETGID:
+	case PRIV_VFS_STICKYFILE:
 		return (0);
 
-	case PRIV_VFS_CHFLAGS_DEV:
-	case PRIV_VFS_REVOKE:
-		/*
-		 * Grant rights relating to managing visible device nodes and
-		 * ttys.
-		 */
+	case PRIV_VFS_SYSFLAGS:
+		if (jail_chflags_allowed)
+			return (0);
+		else
+			return (EPERM);
 
+	/* case PRIV_VFS_UNMOUNT: */
+	/* case PRIV_VM_MADV_PROTECT: */
+	/* case PRIV_VM_MLOCK: */
+	/* case PRIV_VM_MUNLOCK: */
+	/* case PRIV_DEVFS_RULE: */
+	/* case PRIV_DEVFS_SYMLINK: */
+	/* case PRIV_RANDOM_RESEED: */
+	/* case PRIV_NET_BRIDGE: */
+	/* case PRIV_NET_GRE: */
+	/* case PRIV_NET_PPP: */
+	/* case PRIV_NET_SLIP: */
+	/* case PRIV_NET_BPF: */
+	/* case PRIV_NET_RAW: */
+	/* case PRIV_NET_ROUTE: */
+	/* case PRIV_NET_TAP: */
+	/* case PRIV_NET_SETIFMTU: */
+	/* case PRIV_NET_SETIFFLAGS: */
+	/* case PRIV_NET_SETIFCAP: */
+	/* case PRIV_NET_SETIFNAME: */
+	/* case PRIV_NET_SETIFMETRIC: */
+	/* case PRIV_NET_SETIFPHYS: */
+	/* case PRIV_NET_SETIFMAC: */
+	/* case PRIV_NET_ADDMULTI: */
+	/* case PRIV_NET_DELMULTI: */
+	/* case PRIV_NET_HWIOCTL: */
+	/* case PRIV_NET_SETLLADDR: */
+	/* case PRIV_NET_ADDIFGROUP: */
+	/* case PRIV_NET_DELIFGROUP: */
+	/* case PRIV_NET_IFCREATE: */
+	/* case PRIV_NET_IFDESTROY: */
+	/* case PRIV_NET80211_GETKEY: */
+	/* case PRIV_NET80211_MANAGE: */
+	/* case PRIV_NETATALK_RESERVEDPORT: */
+	/* case PRIV_NETATM_CFG: */
+	/* case PRIV_NETATM_ADD: */
+	/* case PRIV_NETATM_DEL: */
+	/* case PRIV_NETATM_SET: */
+	/* case PRIV_NETGRAPH_CONTROL: */
+	/* case PRIV_NETGRAPH_TTY: */
+	case PRIV_NETINET_RESERVEDPORT:
 		return (0);
+	/* case PRIV_NETINET_IPFW: */
+	/* case PRIV_NETINET_DIVERT: */
+	/* case PRIV_NETINET_PF: */
+	/* case PRIV_NETINET_DUMMYNET: */
+	/* case PRIV_NETINET_CARP: */
+	/* case PRIV_NETINET_MROUTE: */
+	case PRIV_NETINET_RAW:
+		if (jail_allow_raw_sockets)
+			return (0);
+		else
+			return (EPERM);
+	case PRIV_NETINET_GETCRED:
+	/* case PRIV_NETINET_ADDRCTRL6: */
+	/* case PRIV_NETINET_ND6: */
+	/* case PRIV_NETINET_SCOPE6: */
+	/* case PRIV_NETINET_ALIFETIME6: */
+	/* case PRIV_NETINET_IPSEC: */
+	/* case PRIV_NETIPX_RESERVEDPORT: */
+	/* case PRIV_NETIPX_RAW: */
+	/* case PRIV_NETNCP: */
+	/* case PRIV_NETSMB: */
+	/* case PRIV_VM86_INTCALL: */
 
 	default:
 		/*