From nobody Tue Sep 16 13:45:10 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cR37B68T8z67GqQ; Tue, 16 Sep 2025 13:45:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cR37B5VsKz3Tnn; Tue, 16 Sep 2025 13:45:10 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1758030310; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=LuNWn5MGT2KhKI3o/Qr5b1arMSAPU4cvOCslgUDL4Rg=; b=blTW5JTw8tqh6tXEh4cWFK1YoWibBOUEJlq5fs3M+XMwHXLjXDGh7Z4l+25cKi79WM09+E emA67Zo8PnYuZHlJXFQEYtNf4qk/EEpdRqamXdoyU+LVWuusNR+q7UhwJzdKYZUw3BKjnX YNIfib6AEC2G44CTaDyRJaKIgejtPCqw0ipw+2ZGQNyIr8uqNMUKCIqCladjIkuXeCbZKk f7Msukn4rRK1FdoKJNry4Nh0hpaamUZS+x0RWXYGcWQEFlAzFenOMKOeLyr6IvnbxmgTbz xRzr35KVQiC6AQIjXYNqIQYAAOp2OyV0jbGIposnlNKXxyQhIyTBN6feOE+LWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1758030310; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=LuNWn5MGT2KhKI3o/Qr5b1arMSAPU4cvOCslgUDL4Rg=; b=bIZiqDpRfrMWqWNqYj0d+Q7FGAxpSkedglWlOWOSIf+ecawBDjczAB/dQVGUacYACd6PXB RSR8dYybtVd5SdP9HwgQUeRiFLlHO+QoEJPDn3ZMzvZmZBfaMvwaAIbuLasacB6RjLF1sp 82pO+YoR84gC6YY+CoQiEMTgEityVoGTgDWpubUzcdBlRJAnv8nyHZv9FhcSM4DlzJFeee Tkla9SsbzmNC4qgQTGuaKd0IoQf9eH3hmPhPd2j3yW2rb37KPX5UXH1VGgewTHKDZaK06V Kdpc1ZBwtO/uBddjINhkb3bYB6sCzr+hjQLPbKsFWREr2PT0YbCwmxePnWDGdA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1758030310; a=rsa-sha256; cv=none; b=DDxPy+WJMD6nNTiHRrjXOsc2+mXV/ArZWx9Ax8Gxh7gqgLeepgxUAO/ZZrVQXjX3naSDX9 C1la/Dz/uPzZYrvRB7W4IN9ycWiV7zMzS9C6XeJkrL2ghyM0yxZpnsfGf/Tn/LvfpDNhy9 rs00XExA/0KgEjxwFnXdeQg8L5V8Dr+4fUPWP5NTDrdTtblukcez1WXTzrgwgZPVE6NF4g LN1MHi0dd1h+FKKenUbMM4tYtXN+HSCl00gqXEOQ1jgzY+AQ6YwvM4Rlg0M0XxtoiX+v1G dJ6Nybn5V0A7nkwQZ1mmaoB6JD++wrzwsxan6vW2UtvUiBGbKAcqQ9eW0692zA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cR37B51w6zkMj; Tue, 16 Sep 2025 13:45:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 58GDjAAa043582; Tue, 16 Sep 2025 13:45:10 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 58GDjAid043579; Tue, 16 Sep 2025 13:45:10 GMT (envelope-from git) Date: Tue, 16 Sep 2025 13:45:10 GMT Message-Id: <202509161345.58GDjAid043579@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mark Johnston Subject: git: 1c3ca0c733a4 - main - Revert "jail: Optionally allow audit session state to be configured in a jail" List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 1c3ca0c733a4e4ba550cedfa8019260fb0cf5707 Auto-Submitted: auto-generated The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=1c3ca0c733a4e4ba550cedfa8019260fb0cf5707 commit 1c3ca0c733a4e4ba550cedfa8019260fb0cf5707 Author: Mark Johnston AuthorDate: 2025-09-16 13:43:47 +0000 Commit: Mark Johnston CommitDate: 2025-09-16 13:44:58 +0000 Revert "jail: Optionally allow audit session state to be configured in a jail" Changing audit system calls to return EPERM instead of ENOSYS when invoked from a jail breaks some userspace applications. Revert for now until a more complete change is reviewed. This reverts commit 246d7e9fc23928be22db38220f5439f5cdee5264. PR: 289645 --- sys/kern/kern_jail.c | 13 +------------ sys/security/audit/audit_syscalls.c | 12 ++++++++++++ sys/sys/jail.h | 3 +-- usr.sbin/jail/jail.8 | 19 ++++--------------- usr.sbin/jail/tests/jail_basic_test.sh | 20 -------------------- 5 files changed, 18 insertions(+), 49 deletions(-) diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 3697d95fe0e5..a75ba89d2a7e 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -243,9 +243,6 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = { {"allow.unprivileged_parent_tampering", "allow.nounprivileged_parent_tampering", PR_ALLOW_UNPRIV_PARENT_TAMPER}, -#ifdef AUDIT - {"allow.setaudit", "allow.nosetaudit", PR_ALLOW_SETAUDIT}, -#endif }; static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC; const size_t pr_flag_allow_size = sizeof(pr_flag_allow); @@ -4292,6 +4289,7 @@ prison_priv_check(struct ucred *cred, int priv) */ case PRIV_KTRACE: +#if 0 /* * Allow jailed processes to configure audit identity and * submit audit records (login, etc). In the future we may @@ -4300,11 +4298,6 @@ prison_priv_check(struct ucred *cred, int priv) */ case PRIV_AUDIT_GETAUDIT: case PRIV_AUDIT_SETAUDIT: - if (cred->cr_prison->pr_allow & PR_ALLOW_SETAUDIT) - return (0); - else - return (EPERM); -#if 0 case PRIV_AUDIT_SUBMIT: #endif @@ -5041,10 +5034,6 @@ SYSCTL_JAIL_PARAM(_allow, settime, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may set system time"); SYSCTL_JAIL_PARAM(_allow, routing, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may modify routing table"); -#ifdef AUDIT -SYSCTL_JAIL_PARAM(_allow, setaudit, CTLTYPE_INT | CTLFLAG_RW, - "B", "Jail may set and get audit session state"); -#endif SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, diff --git a/sys/security/audit/audit_syscalls.c b/sys/security/audit/audit_syscalls.c index 262f2c1ae1e3..40b2fb3d1c9f 100644 --- a/sys/security/audit/audit_syscalls.c +++ b/sys/security/audit/audit_syscalls.c @@ -592,6 +592,8 @@ sys_getauid(struct thread *td, struct getauid_args *uap) { int error; + if (jailed(td->td_ucred)) + return (ENOSYS); error = priv_check(td, PRIV_AUDIT_GETAUDIT); if (error) return (error); @@ -607,6 +609,8 @@ sys_setauid(struct thread *td, struct setauid_args *uap) au_id_t id; int error; + if (jailed(td->td_ucred)) + return (ENOSYS); error = copyin(uap->auid, &id, sizeof(id)); if (error) return (error); @@ -646,6 +650,8 @@ sys_getaudit(struct thread *td, struct getaudit_args *uap) int error; cred = td->td_ucred; + if (jailed(cred)) + return (ENOSYS); error = priv_check(td, PRIV_AUDIT_GETAUDIT); if (error) return (error); @@ -668,6 +674,8 @@ sys_setaudit(struct thread *td, struct setaudit_args *uap) struct auditinfo ai; int error; + if (jailed(td->td_ucred)) + return (ENOSYS); error = copyin(uap->auditinfo, &ai, sizeof(ai)); if (error) return (error); @@ -707,6 +715,8 @@ sys_getaudit_addr(struct thread *td, struct getaudit_addr_args *uap) { int error; + if (jailed(td->td_ucred)) + return (ENOSYS); if (uap->length < sizeof(*uap->auditinfo_addr)) return (EOVERFLOW); error = priv_check(td, PRIV_AUDIT_GETAUDIT); @@ -724,6 +734,8 @@ sys_setaudit_addr(struct thread *td, struct setaudit_addr_args *uap) struct auditinfo_addr aia; int error; + if (jailed(td->td_ucred)) + return (ENOSYS); error = copyin(uap->auditinfo_addr, &aia, sizeof(aia)); if (error) return (error); diff --git a/sys/sys/jail.h b/sys/sys/jail.h index e6a13e6719dd..e12e8c3178c9 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -271,7 +271,6 @@ struct prison_racct { #define PR_ALLOW_SETTIME 0x00100000 #define PR_ALLOW_ROUTING 0x00200000 #define PR_ALLOW_UNPRIV_PARENT_TAMPER 0x00400000 -#define PR_ALLOW_SETAUDIT 0x00800000 /* * PR_ALLOW_PRISON0 are the allow flags that we apply by default to prison0, @@ -279,7 +278,7 @@ struct prison_racct { * build time. PR_ALLOW_ALL_STATIC should contain any bit above that we expect * to be used on the system, while PR_ALLOW_PRISON0 will be some subset of that. */ -#define PR_ALLOW_ALL_STATIC 0x00ff87ff +#define PR_ALLOW_ALL_STATIC 0x007f87ff #define PR_ALLOW_PRISON0 \ (PR_ALLOW_ALL_STATIC & ~(PR_ALLOW_UNPRIV_PARENT_TAMPER)) diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index d44b7f66a64e..421aa9babb4c 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd September 15, 2025 +.Dd August 7, 2025 .Dt JAIL 8 .Os .Sh NAME @@ -702,15 +702,15 @@ The super-user will be disabled automatically if its parent system has it disabled. The super-user is enabled by default. .It Va allow.extattr -Allow privileged processes in the jail to manipulate filesystem extended +Allow privileged process in the jail to manipulate filesystem extended attributes in the system namespace. .It Va allow.adjtime -Allow privileged processes in the jail to slowly adjusting global operating system +Allow privileged process in the jail to slowly adjusting global operating system time. For example through utilities like .Xr ntpd 8 . .It Va allow.settime -Allow privileged processes in the jail to set global operating system data +Allow privileged process in the jail to set global operating system data and time. For example through utilities like .Xr date 1 . @@ -719,17 +719,6 @@ This permission includes also .It Va allow.routing Allow privileged process in the non-VNET jail to modify the system routing table. -.It Va allow.setaudit -Allow privileged processes in the jail to set -.Xr audit 4 -session state using -.Xr setaudit 2 -and related system calls. -This is useful, for example, for allowing a jailed -.Xr sshd 8 -to set the audit user ID for an authenticated session. -However, it gives jailed processes the ability to modify or disable audit -session state, so should be configured with care. .El .El .Pp diff --git a/usr.sbin/jail/tests/jail_basic_test.sh b/usr.sbin/jail/tests/jail_basic_test.sh index c781eed78756..6802da7b049a 100755 --- a/usr.sbin/jail/tests/jail_basic_test.sh +++ b/usr.sbin/jail/tests/jail_basic_test.sh @@ -306,25 +306,6 @@ param_consistency_cleanup() fi } -atf_test_case "setaudit" -setaudit_head() -{ - atf_set descr 'Test that setaudit works in a jail when configured with allow.setaudit' - atf_set require.user root - atf_set require.progs setaudit -} - -setaudit_body() -{ - # Try to modify the audit mask within a jail without - # allow.setaudit configured. - atf_check -s not-exit:0 -o empty -e not-empty jail -c name=setaudit_jail \ - command=setaudit -m fr ls / - # The command should succeed if allow.setaudit is configured. - atf_check -s exit:0 -o ignore -e empty jail -c name=setaudit_jail \ - allow.setaudit command=setaudit -m fr ls / -} - atf_init_test_cases() { atf_add_test_case "basic" @@ -333,5 +314,4 @@ atf_init_test_cases() atf_add_test_case "commands" atf_add_test_case "jid_name_set" atf_add_test_case "param_consistency" - atf_add_test_case "setaudit" }