Date: Mon, 18 Sep 2006 09:17:48 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 106285 for review Message-ID: <200609180917.k8I9Hmf6071984@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=106285 Change 106285 by rwatson@rwatson_peppercorn on 2006/09/18 09:16:49 Remove commented out privileges (in most cases) for jail, and annotate which privileges are allowed and why in comments. Affected files ... .. //depot/projects/trustedbsd/priv/sys/kern/kern_jail.c#4 edit Differences ... ==== //depot/projects/trustedbsd/priv/sys/kern/kern_jail.c#4 (text+ko) ==== @@ -535,32 +535,26 @@ return (0); switch (priv) { - /* case PRIV_ROOT: */ - /* case PRIV_ACCT: */ - /* case PRIV_MAXFILES: */ - /* case PRIV_MAXPROC: */ + + /* + * Allow ktrace privileges for root in jail. + */ case PRIV_KTRACE: - /* case PRIV_SETDUMPER: */ - /* case PRIV_NFSD: */ - /* case PRIV_REBOOT: */ - /* case PRIV_SWAPON: */ - /* case PRIV_SWAPOFF: */ - /* case PRIV_MSGBUF: */ - /* case PRIV_WITNESS: */ - /* case PRIV_IO: */ - /* case PRIV_KEYBOARD: */ - /* case PRIV_DRIVER: */ - /* case PRIV_ADJTIME: */ - /* case PRIV_NTP_ADJTIME: */ - /* case PRIV_CLOCK_SETTIME: */ - /* case PRIV_SETTIMEOFDAY: */ - /* case PRIV_SETHOSTID: */ - /* case PRIV_SETDOMAINNAME: */ - /* case PRIV_AUDIT_CONTROL: */ - /* case PRIV_AUDIT_FAILSTOP: */ + + /* + * Allow jailed processes to configure audit identity and + * submit audit records (login, etc). In the future we may + * want to further refine the relationship between audit and + * jail. + */ case PRIV_AUDIT_GETAUDIT: case PRIV_AUDIT_SETAUDIT: case PRIV_AUDIT_SUBMIT: + + /* + * Allow jailed processes to manipulate process UNIX + * credentials in any way they sees fit. + */ case PRIV_CRED_SETUID: case PRIV_CRED_SETEUID: case PRIV_CRED_SETGID: @@ -570,57 +564,73 @@ case PRIV_CRED_SETREGID: case PRIV_CRED_SETRESUID: case PRIV_CRED_SETRESGID: + + /* + * Jail implements visibility constraints already, so allow + * jailed root to override uid/gid-based constraints. + */ case PRIV_SEEOTHERGIDS: case PRIV_SEEOTHERUIDS: + + /* + * Jail implements inter-process debugging limits already, so + * allow jailed root various debugging privileges. + */ case PRIV_DEBUG_DIFFCRED: case PRIV_DEBUG_SUGID: case PRIV_DEBUG_UNPRIV: - /* case PRIV_FIRMWARE_LOAD: */ - /* case PRIV_JAIL_ATTACH: */ - /* case PRIV_KENV_SET: */ - /* case PRIV_KENV_UNSET: */ - /* case PRIV_KLD_LOAD: */ - /* case PRIV_KLD_UNLOAD: */ - /* case PRIV_MAC_PARTITION: */ + + /* + * Allow jail to set various resource limits and login + * properties, and for now, exceed process resource limits. + */ case PRIV_PROC_LIMIT: case PRIV_PROC_SETLOGIN: case PRIV_PROC_SETRLIMIT: - /* XXXRW: Not yet. */ + /* + * The following privileges should be granted to jail once + * implemented. + */ /* case PRIV_IPC_READ: */ /* case PRIV_IPC_WRITE: */ /* case PRIV_IPC_EXEC: */ /* case PRIV_IPC_ADMIN: */ /* case PRIV_IPC_MSGSIZE: */ /* case PRIV_MQ_ADMIN: */ - /* case PRIV_PMC_MANAGE: */ - /* case PRIV_PMC_SYSTEM: */ + + /* + * Jail implements its own inter-process limits, so allow + * root processes in jail to change scheduling on other + * processes in the same jail. Likewise for signalling. + */ case PRIV_SCHED_DIFFCRED: - /* case PRIV_SCHED_SETPRIORITY: */ - /* case PRIV_SCHED_RTPRIO: */ - /* case PRIV_SCHED_SETPOLICY: */ - /* case PRIV_SCHED_SET: */ - /* case PRIV_SCHED_SETPARAM: */ - /* case PRIV_SEM_WRITE: */ case PRIV_SIGNAL_DIFFCRED: case PRIV_SIGNAL_SUGID: - /* case PRIV_SYSCTL_DEBUG: */ - /* case PRIV_SYSCTL_WRITE: */ + + /* + * Allow jailed processes to write to sysctls marked as jail + * writable. + */ case PRIV_SYSCTL_WRITEJAIL: - /* case PRIV_TTY_CONSOLE: */ - /* case PRIV_TTY_DRAINWAIT: */ - /* case PRIV_TTY_DTRWAIT: */ - /* case PRIV_TTY_EXCLUSIVE: */ - /* case PRIV_TTY_PRISON: */ - /* case PRIV_TTY_STI: */ - /* case PRIV_TTY_SETA: */ - /* case PRIV_UFS_EXTATTRCTL: */ + + /* + * Allow root in jail to manage a variety of quota + * properties. Some are a bit surprising and should be + * reconsidered. + */ case PRIV_UFS_GETQUOTA: case PRIV_UFS_QUOTAOFF: /* XXXRW: Slightly surprising. */ case PRIV_UFS_QUOTAON: /* XXXRW: Slightly surprising. */ case PRIV_UFS_SETQUOTA: case PRIV_UFS_SETUSE: /* XXXRW: Slightly surprising. */ - /* case PRIV_UFS_EXCEEDQUOTA: */ + + /* + * Since Jail relies on chroot() to implement file system + * protections, grant many VFS privileges to root in jail. + * Be careful to exclude mount-related and NFS-related + * privileges. + */ case PRIV_VFS_READ: case PRIV_VFS_WRITE: case PRIV_VFS_ADMIN: @@ -631,97 +641,49 @@ case PRIV_VFS_CHOWN: case PRIV_VFS_CHROOT: case PRIV_VFS_CLEARSUGID: - /* case PRIV_VFS_EXTATTR_SYSTEM: */ case PRIV_VFS_FCHROOT: - /* case PRIV_VFS_FHOPEN: */ - /* case PRIV_VFS_FHSTAT: */ - /* case PRIV_VFS_FHSTATFS: */ - /* case PRIV_VFS_GENERATION: */ - /* case PRIV_VFS_GETFH: */ case PRIV_VFS_LINK: - /* case PRIV_VFS_MKNOD_DEV: */ - /* case PRIV_VFS_MOUNT: */ - /* case PRIV_VFS_MOUNT_OWNER: */ - /* case PRIV_VFS_MOUNT_EXPORTED: */ - /* case PRIV_VFS_MOUNT_PERM: */ - /* case PRIV_VFS_MOUNT_SUIDDIR: */ case PRIV_VFS_SETGID: case PRIV_VFS_STICKYFILE: return (0); + /* + * Depending on the global setting, allow privilege of + * setting system flags. + */ case PRIV_VFS_SYSFLAGS: if (jail_chflags_allowed) return (0); else return (EPERM); - /* case PRIV_VFS_UNMOUNT: */ - /* case PRIV_VM_MADV_PROTECT: */ - /* case PRIV_VM_MLOCK: */ - /* case PRIV_VM_MUNLOCK: */ - /* case PRIV_DEVFS_RULE: */ - /* case PRIV_DEVFS_SYMLINK: */ - /* case PRIV_RANDOM_RESEED: */ - /* case PRIV_NET_BRIDGE: */ - /* case PRIV_NET_GRE: */ - /* case PRIV_NET_PPP: */ - /* case PRIV_NET_SLIP: */ - /* case PRIV_NET_BPF: */ - /* case PRIV_NET_RAW: */ - /* case PRIV_NET_ROUTE: */ - /* case PRIV_NET_TAP: */ - /* case PRIV_NET_SETIFMTU: */ - /* case PRIV_NET_SETIFFLAGS: */ - /* case PRIV_NET_SETIFCAP: */ - /* case PRIV_NET_SETIFNAME: */ - /* case PRIV_NET_SETIFMETRIC: */ - /* case PRIV_NET_SETIFPHYS: */ - /* case PRIV_NET_SETIFMAC: */ - /* case PRIV_NET_ADDMULTI: */ - /* case PRIV_NET_DELMULTI: */ - /* case PRIV_NET_HWIOCTL: */ - /* case PRIV_NET_SETLLADDR: */ - /* case PRIV_NET_ADDIFGROUP: */ - /* case PRIV_NET_DELIFGROUP: */ - /* case PRIV_NET_IFCREATE: */ - /* case PRIV_NET_IFDESTROY: */ - /* case PRIV_NET80211_GETKEY: */ - /* case PRIV_NET80211_MANAGE: */ - /* case PRIV_NETATALK_RESERVEDPORT: */ - /* case PRIV_NETATM_CFG: */ - /* case PRIV_NETATM_ADD: */ - /* case PRIV_NETATM_DEL: */ - /* case PRIV_NETATM_SET: */ - /* case PRIV_NETGRAPH_CONTROL: */ - /* case PRIV_NETGRAPH_TTY: */ + /* + * Allow jailed root to bind reserved ports. + */ case PRIV_NETINET_RESERVEDPORT: return (0); - /* case PRIV_NETINET_IPFW: */ - /* case PRIV_NETINET_DIVERT: */ - /* case PRIV_NETINET_PF: */ - /* case PRIV_NETINET_DUMMYNET: */ - /* case PRIV_NETINET_CARP: */ - /* case PRIV_NETINET_MROUTE: */ + + /* + * Conditionally allow creating raw sockets in jail. + */ case PRIV_NETINET_RAW: if (jail_allow_raw_sockets) return (0); else return (EPERM); + + /* + * Since jail implements its own visibility limits on netstat + * sysctls, allow getcred. This allows identd to work in + * jail. + */ case PRIV_NETINET_GETCRED: - /* case PRIV_NETINET_ADDRCTRL6: */ - /* case PRIV_NETINET_ND6: */ - /* case PRIV_NETINET_SCOPE6: */ - /* case PRIV_NETINET_ALIFETIME6: */ - /* case PRIV_NETINET_IPSEC: */ - /* case PRIV_NETIPX_RESERVEDPORT: */ - /* case PRIV_NETIPX_RAW: */ - /* case PRIV_NETNCP: */ - /* case PRIV_NETSMB: */ - /* case PRIV_VM86_INTCALL: */ default: /* - * In all remaining cases, deny the privilege request. + * In all remaining cases, deny the privilege request. This + * includes almost all network privileges, many system + * configuration privileges. */ return (EPERM); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200609180917.k8I9Hmf6071984>