From owner-svn-src-all@FreeBSD.ORG  Sat May 14 17:02:03 2011
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 95DDA1065672;
	Sat, 14 May 2011 17:02:03 +0000 (UTC) (envelope-from pjd@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 84D288FC0C;
	Sat, 14 May 2011 17:02:03 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id p4EH23HL009670;
	Sat, 14 May 2011 17:02:03 GMT (envelope-from pjd@svn.freebsd.org)
Received: (from pjd@localhost)
	by svn.freebsd.org (8.14.4/8.14.4/Submit) id p4EH23Ux009664;
	Sat, 14 May 2011 17:02:03 GMT (envelope-from pjd@svn.freebsd.org)
Message-Id: <201105141702.p4EH23Ux009664@svn.freebsd.org>
From: Pawel Jakub Dawidek <pjd@FreeBSD.org>
Date: Sat, 14 May 2011 17:02:03 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-head@freebsd.org
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r221899 - in head/sbin: hastctl hastd
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 14 May 2011 17:02:03 -0000

Author: pjd
Date: Sat May 14 17:02:03 2011
New Revision: 221899
URL: http://svn.freebsd.org/changeset/base/221899

Log:
  Currently we are unable to use capsicum for the primary worker process,
  because we need to do ioctl(2)s, which are not permitted in the capability
  mode. What we do now is to chroot(2) to /var/empty, which restricts access
  to file system name space and we drop privileges to hast user and hast
  group.
  
  This still allows to access to other name spaces, like list of processes,
  network and sysvipc.
  
  To address that, use jail(2) instead of chroot(2). Using jail(2) will restrict
  access to process table, network (we use ip-less jails) and sysvipc (if
  security.jail.sysvipc_allowed is turned off). This provides much better
  separation.
  
  MFC after:	1 week

Modified:
  head/sbin/hastctl/hastctl.c
  head/sbin/hastd/primary.c
  head/sbin/hastd/secondary.c
  head/sbin/hastd/subr.c
  head/sbin/hastd/subr.h

Modified: head/sbin/hastctl/hastctl.c
==============================================================================
--- head/sbin/hastctl/hastctl.c	Sat May 14 16:55:24 2011	(r221898)
+++ head/sbin/hastctl/hastctl.c	Sat May 14 17:02:03 2011	(r221899)
@@ -480,7 +480,7 @@ main(int argc, char *argv[])
 		    cfg->hc_controladdr);
 	}
 
-	if (drop_privs(true) != 0)
+	if (drop_privs(NULL) != 0)
 		exit(EX_CONFIG);
 
 	/* Send the command to the server... */

Modified: head/sbin/hastd/primary.c
==============================================================================
--- head/sbin/hastd/primary.c	Sat May 14 16:55:24 2011	(r221898)
+++ head/sbin/hastd/primary.c	Sat May 14 17:02:03 2011	(r221899)
@@ -904,7 +904,7 @@ hastd_primary(struct hast_resource *res)
 	init_ggate(res);
 	init_environment(res);
 
-	if (drop_privs(true) != 0) {
+	if (drop_privs(res) != 0) {
 		cleanup(res);
 		exit(EX_CONFIG);
 	}

Modified: head/sbin/hastd/secondary.c
==============================================================================
--- head/sbin/hastd/secondary.c	Sat May 14 16:55:24 2011	(r221898)
+++ head/sbin/hastd/secondary.c	Sat May 14 17:02:03 2011	(r221899)
@@ -436,7 +436,7 @@ hastd_secondary(struct hast_resource *re
 	init_local(res);
 	init_environment();
 
-	if (drop_privs(true) != 0)
+	if (drop_privs(res) != 0)
 		exit(EX_CONFIG);
 	pjdlog_info("Privileges successfully dropped.");
 

Modified: head/sbin/hastd/subr.c
==============================================================================
--- head/sbin/hastd/subr.c	Sat May 14 16:55:24 2011	(r221898)
+++ head/sbin/hastd/subr.c	Sat May 14 17:02:03 2011	(r221899)
@@ -32,9 +32,10 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/capability.h>
-#include <sys/types.h>
+#include <sys/param.h>
 #include <sys/disk.h>
 #include <sys/ioctl.h>
+#include <sys/jail.h>
 #include <sys/stat.h>
 
 #include <errno.h>
@@ -147,13 +148,15 @@ role2str(int role)
 }
 
 int
-drop_privs(bool usecapsicum)
+drop_privs(struct hast_resource *res)
 {
+	char jailhost[sizeof(res->hr_name) * 2];
+	struct jail jailst;
 	struct passwd *pw;
 	uid_t ruid, euid, suid;
 	gid_t rgid, egid, sgid;
 	gid_t gidset[1];
-	bool capsicum;
+	bool capsicum, jailed;
 
 	/*
 	 * According to getpwnam(3) we have to clear errno before calling the
@@ -173,10 +176,34 @@ drop_privs(bool usecapsicum)
 			return (-1);
 		}
 	}
-	if (chroot(pw->pw_dir) == -1) {
-		KEEP_ERRNO(pjdlog_errno(LOG_ERR,
-		    "Unable to change root directory to %s", pw->pw_dir));
-		return (-1);
+
+	bzero(&jailst, sizeof(jailst));
+	jailst.version = JAIL_API_VERSION;
+	jailst.path = pw->pw_dir;
+	if (res == NULL) {
+		(void)snprintf(jailhost, sizeof(jailhost), "hastctl");
+	} else {
+		(void)snprintf(jailhost, sizeof(jailhost), "hastd: %s (%s)",
+		    res->hr_name, role2str(res->hr_role));
+	}
+	jailst.hostname = jailhost;
+	jailst.jailname = NULL;
+	jailst.ip4s = 0;
+	jailst.ip4 = NULL;
+	jailst.ip6s = 0;
+	jailst.ip6 = NULL;
+	if (jail(&jailst) >= 0) {
+		jailed = true;
+	} else {
+		jailed = false;
+		pjdlog_errno(LOG_WARNING,
+		    "Unable to jail to directory to %s", pw->pw_dir);
+		if (chroot(pw->pw_dir) == -1) {
+			KEEP_ERRNO(pjdlog_errno(LOG_ERR,
+			    "Unable to change root directory to %s",
+			    pw->pw_dir));
+			return (-1);
+		}
 	}
 	PJDLOG_VERIFY(chdir("/") == 0);
 	gidset[0] = pw->pw_gid;
@@ -197,15 +224,10 @@ drop_privs(bool usecapsicum)
 		return (-1);
 	}
 
-	capsicum = false;
-	if (usecapsicum) {
-		if (cap_enter() == 0) {
-			capsicum = true;
-		} else {
-			pjdlog_errno(LOG_WARNING,
-			    "Unable to sandbox using capsicum");
-		}
-	}
+	if (res == NULL || res->hr_role != HAST_ROLE_PRIMARY)
+		capsicum = (cap_enter() == 0);
+	else
+		capsicum = false;
 
 	/*
 	 * Better be sure that everything succeeded.
@@ -223,8 +245,8 @@ drop_privs(bool usecapsicum)
 	PJDLOG_VERIFY(gidset[0] == pw->pw_gid);
 
 	pjdlog_debug(1,
-	    "Privileges successfully dropped using %schroot+setgid+setuid.",
-	    capsicum ? "capsicum+" : "");
+	    "Privileges successfully dropped using %s%s+setgid+setuid.",
+	    capsicum ? "capsicum+" : "", jailed ? "jail" : "chroot");
 
 	return (0);
 }

Modified: head/sbin/hastd/subr.h
==============================================================================
--- head/sbin/hastd/subr.h	Sat May 14 16:55:24 2011	(r221898)
+++ head/sbin/hastd/subr.h	Sat May 14 17:02:03 2011	(r221899)
@@ -51,6 +51,6 @@ int snprlcat(char *str, size_t size, con
 
 int provinfo(struct hast_resource *res, bool dowrite);
 const char *role2str(int role);
-int drop_privs(bool usecapsicum);
+int drop_privs(struct hast_resource *res);
 
 #endif	/* !_SUBR_H_ */