From owner-svn-src-head@freebsd.org Wed Nov 18 21:15:03 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1BE35472469; Wed, 18 Nov 2020 21:15:03 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CbwYz04pJz4ff8; Wed, 18 Nov 2020 21:15:02 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: by mail-wr1-x42a.google.com with SMTP id d12so3523080wrr.13; Wed, 18 Nov 2020 13:15:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Mp/G6k12INNDTBHZ7JcZ2KE6sXmB16hdvUu08DYEtww=; b=JmxEJKtNL9lB9RkJHqEViy3CJwSEibp2+JWi01a7guCOpmGp/+jdRFlM+fZyTv7JLK vD5kmW0VBupFojSvrYWKkU4/kZGKD185Dl1IUmMRzrz/k4pofO9qyh3sk8wy9M7WPK4Z JSZMF6BqObBdHAQQBXf8C7c9GbBo2qrOoo4aMXPi9duFFqrsIbaGLG1arkD97IEalz94 5qh6CPQ4tpdCPqUhs+OG5kiAC24I7F6hd2ESm3vfMhot3xpMJsF8ONlCFNC8iJ+KEUwg /7G9RntHHW1uY4A9QWNRsG9C8rkp5LykahGSLFZZV0tfcVMgP33EfqqCBL5Qb6xSQQQK 1KJA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Mp/G6k12INNDTBHZ7JcZ2KE6sXmB16hdvUu08DYEtww=; b=UOxYvGs2JckI/h+sLtyK4wpO/JNWd3V8t13uxJWvmvqZvs3Q3nUXctub46dWnTJyP5 0yPcX3keAGd3uY+mwSRJ3CmelwNMjhKDsvxkOTFsfj4ybLY0qYBYz5qMTzQ5BOlru2m+ kj/U9IgAJQ/57xr+DjKJDjKsLhMTqUtvQaIDkp4voxZGT4ukU8Gu2+1rKlzJO3IlMZ1q qMpTo19fu315jvDALJb1j/0lvDCdoFywliRcBataVxhBnuG610jH2zyo3m2gg5Kg4lyL x9qHya0mHOTSD2XywJPlR2Glf17mPpiH5GlQ1c0fF1nqMVtpK0au+J1CFlLQ/r/UHzqt Pabg== X-Gm-Message-State: AOAM532SOb5YfjWNmKeQSlvX+RI9iIeztX4NMfU0gLKgVIlrKSeDuwsS t4HrMFsEVb+dnVLfOwFnc9pgzdGTg19pfGbaZHn8O0yrF2Y= X-Google-Smtp-Source: ABdhPJwk4ugRDq6JkYa5ku8ssJ6Nwxo00Y7ttQ5FomKayxYXz64IMWZySzr8hnbRoPOhaZb5FSFRwwnMv/6TY2IV/H0= X-Received: by 2002:a5d:5146:: with SMTP id u6mr7142004wrt.66.1605734100203; Wed, 18 Nov 2020 13:15:00 -0800 (PST) MIME-Version: 1.0 Received: by 2002:adf:dec7:0:0:0:0:0 with HTTP; Wed, 18 Nov 2020 13:14:59 -0800 (PST) In-Reply-To: <202011182107.0AIL78pi053574@repo.freebsd.org> References: <202011182107.0AIL78pi053574@repo.freebsd.org> From: Mateusz Guzik Date: Wed, 18 Nov 2020 22:14:59 +0100 Message-ID: Subject: Re: svn commit: r367819 - in head: sys/kern sys/sys usr.sbin/jail To: Mariusz Zaborski Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4CbwYz04pJz4ff8 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Nov 2020 21:15:03 -0000 On 11/18/20, Mariusz Zaborski wrote: > Author: oshogbo > Date: Wed Nov 18 21:07:08 2020 > New Revision: 367819 > URL: https://svnweb.freebsd.org/changeset/base/367819 > > Log: > jail: introduce per jail suser_enabled setting > > The suser_enable sysctl allows to remove a privileged rights from uid 0. > This change introduce per jail setting which allow to make root a > normal user. > > Reviewed by: jamie > Previous version reviewed by: kevans, emaste, markj, me_igalic.co > Discussed with: pjd > Differential Revision: https://reviews.freebsd.org/D27128 > > Modified: > head/sys/kern/kern_jail.c > head/sys/kern/kern_priv.c > head/sys/sys/jail.h > head/usr.sbin/jail/jail.8 > > Modified: head/sys/kern/kern_jail.c > ============================================================================== > --- head/sys/kern/kern_jail.c Wed Nov 18 20:59:58 2020 (r367818) > +++ head/sys/kern/kern_jail.c Wed Nov 18 21:07:08 2020 (r367819) > @@ -199,12 +199,14 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = > > {"allow.read_msgbuf", "allow.noread_msgbuf", PR_ALLOW_READ_MSGBUF}, > {"allow.unprivileged_proc_debug", "allow.nounprivileged_proc_debug", > PR_ALLOW_UNPRIV_DEBUG}, > + {"allow.suser", "allow.nosuser", PR_ALLOW_SUSER}, > }; > const size_t pr_flag_allow_size = sizeof(pr_flag_allow); > > #define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | \ > PR_ALLOW_RESERVED_PORTS | \ > - PR_ALLOW_UNPRIV_DEBUG) > + PR_ALLOW_UNPRIV_DEBUG | \ > + PR_ALLOW_SUSER) > #define JAIL_DEFAULT_ENFORCE_STATFS 2 > #define JAIL_DEFAULT_DEVFS_RSNUM 0 > static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW; > @@ -3815,6 +3817,8 @@ SYSCTL_JAIL_PARAM(_allow, read_msgbuf, CTLTYPE_INT | > C > "B", "Jail may read the kernel message buffer"); > SYSCTL_JAIL_PARAM(_allow, unprivileged_proc_debug, CTLTYPE_INT | > CTLFLAG_RW, > "B", "Unprivileged processes may use process debugging facilities"); > +SYSCTL_JAIL_PARAM(_allow, suser, CTLTYPE_INT | CTLFLAG_RW, > + "B", "Processes in jail with uid 0 have privilege"); > > SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission > flags"); > SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, > > Modified: head/sys/kern/kern_priv.c > ============================================================================== > --- head/sys/kern/kern_priv.c Wed Nov 18 20:59:58 2020 (r367818) > +++ head/sys/kern/kern_priv.c Wed Nov 18 21:07:08 2020 (r367819) > @@ -3,6 +3,7 @@ > * > * Copyright (c) 2006 nCircle Network Security, Inc. > * Copyright (c) 2009 Robert N. M. Watson > + * Copyright (c) 2020 Mariusz Zaborski > * All rights reserved. > * > * This software was developed by Robert N. M. Watson for the TrustedBSD > @@ -36,6 +37,9 @@ __FBSDID("$FreeBSD$"); > #include > #include > #include > +#include > +#include > +#include > #include > #include > #include > @@ -54,10 +58,58 @@ __FBSDID("$FreeBSD$"); > * userland programs, and should not be done without careful consideration > of > * the consequences. > */ > -static int __read_mostly suser_enabled = 1; > -SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RWTUN, > - &suser_enabled, 0, "processes with uid 0 have privilege"); > > +static bool > +suser_enabled(struct ucred *cred) > +{ > + > + return (prison_allow(cred, PR_ALLOW_SUSER) ? true : false); > +} > + This converts a variable read into a function call to prison_allow. prison_allow should be converted into an inline func and put in a header. Also: /* This is an atomic read, so no locking is necessary. */ return (cred->cr_prison->pr_allow & flag); happens to probably work in practice, but is wrong. Short of atomic_store to modify and atomic_load to obtain the content can be arbitrarily mangled during concurrent concurrent write. > +static void inline > +prison_suser_set(struct prison *pr, int enabled) > +{ > + > + if (enabled) { > + pr->pr_allow |= PR_ALLOW_SUSER; > + } else { > + pr->pr_allow &= ~PR_ALLOW_SUSER; > + } > +} > + > +static int > +sysctl_kern_suser_enabled(SYSCTL_HANDLER_ARGS) > +{ > + struct prison *pr, *cpr; > + struct ucred *cred; > + int descend, error, enabled; > + > + cred = req->td->td_ucred; > + enabled = suser_enabled(cred); > + > + error = sysctl_handle_int(oidp, &enabled, 0, req); > + if (error || !req->newptr) > + return (error); > + > + pr = cred->cr_prison; > + sx_slock(&allprison_lock); > + mtx_lock(&pr->pr_mtx); > + > + prison_suser_set(pr, enabled); > + if (!enabled) { > + FOREACH_PRISON_DESCENDANT_LOCKED(pr, cpr, descend) { > + prison_suser_set(cpr, 0); > + } > + } > + mtx_unlock(&pr->pr_mtx); > + sx_sunlock(&allprison_lock); > + return (0); > +} > + > +SYSCTL_PROC(_security_bsd, OID_AUTO, suser_enabled, CTLTYPE_INT | > + CTLFLAG_RWTUN | CTLFLAG_PRISON, 0, 0, &sysctl_kern_suser_enabled, "I", > + "Processes with uid 0 have privilege"); > + This lacks CTLFLAG_MPSAFE. > static int unprivileged_mlock = 1; > SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_mlock, CTLFLAG_RWTUN, > &unprivileged_mlock, 0, "Allow non-root users to call mlock(2)"); > @@ -186,7 +238,7 @@ priv_check_cred(struct ucred *cred, int priv) > * superuser policy to be globally disabled, although this is > * currenty of limited utility. > */ > - if (suser_enabled) { > + if (suser_enabled(cred)) { > switch (priv) { > case PRIV_MAXFILES: > case PRIV_MAXPROC: > @@ -258,7 +310,7 @@ priv_check_cred_vfs_lookup_slow(struct ucred *cred) > if (error) > goto out; > > - if (cred->cr_uid == 0 && suser_enabled) { > + if (cred->cr_uid == 0 && suser_enabled(cred)) { > error = 0; > goto out; > } > @@ -279,7 +331,7 @@ priv_check_cred_vfs_lookup(struct ucred *cred) > return (priv_check_cred_vfs_lookup_slow(cred)); > > error = EPERM; > - if (cred->cr_uid == 0 && suser_enabled) > + if (cred->cr_uid == 0 && suser_enabled(cred)) > error = 0; > return (error); > } > @@ -294,7 +346,7 @@ priv_check_cred_vfs_lookup_nomac(struct ucred *cred) > return (EAGAIN); > > error = EPERM; > - if (cred->cr_uid == 0 && suser_enabled) > + if (cred->cr_uid == 0 && suser_enabled(cred)) > error = 0; > return (error); > } > @@ -313,7 +365,7 @@ priv_check_cred_vfs_generation_slow(struct ucred *cred > goto out; > } > > - if (cred->cr_uid == 0 && suser_enabled) { > + if (cred->cr_uid == 0 && suser_enabled(cred)) { > error = 0; > goto out; > } > @@ -334,7 +386,7 @@ priv_check_cred_vfs_generation(struct ucred *cred) > return (priv_check_cred_vfs_generation_slow(cred)); > > error = EPERM; > - if (!jailed(cred) && cred->cr_uid == 0 && suser_enabled) > + if (!jailed(cred) && cred->cr_uid == 0 && suser_enabled(cred)) > error = 0; > return (error); > } > > Modified: head/sys/sys/jail.h > ============================================================================== > --- head/sys/sys/jail.h Wed Nov 18 20:59:58 2020 (r367818) > +++ head/sys/sys/jail.h Wed Nov 18 21:07:08 2020 (r367819) > @@ -232,9 +232,10 @@ struct prison_racct { > #define PR_ALLOW_MLOCK 0x00000080 > #define PR_ALLOW_READ_MSGBUF 0x00000100 > #define PR_ALLOW_UNPRIV_DEBUG 0x00000200 > +#define PR_ALLOW_SUSER 0x00000400 > #define PR_ALLOW_RESERVED_PORTS 0x00008000 > #define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */ > -#define PR_ALLOW_ALL_STATIC 0x000183ff > +#define PR_ALLOW_ALL_STATIC 0x000187ff > > /* > * PR_ALLOW_DIFFERENCES determines which flags are able to be > > Modified: head/usr.sbin/jail/jail.8 > ============================================================================== > --- head/usr.sbin/jail/jail.8 Wed Nov 18 20:59:58 2020 (r367818) > +++ head/usr.sbin/jail/jail.8 Wed Nov 18 21:07:08 2020 (r367819) > @@ -25,7 +25,7 @@ > .\" > .\" $FreeBSD$ > .\" > -.Dd May 14, 2020 > +.Dd November 18, 2020 > .Dt JAIL 8 > .Os > .Sh NAME > @@ -587,6 +587,13 @@ and resource limits. > The jail root may bind to ports lower than 1024. > .It Va allow.unprivileged_proc_debug > Unprivileged processes in the jail may use debugging facilities. > +.It Va allow.suser > +The value of the jail's > +.Va security.bsd.suser_enabled > +sysctl. > +The super-user will be disabled automatically if its parent system has it > +disabled. > +The super-user is enabled by default. > .El > .El > .Pp > @@ -1267,6 +1274,7 @@ Changes to these variables by a jailed process do not > > environment, only the jail environment. > These variables are > .Va kern.securelevel , > +.Va security.bsd.suser_enabled , > .Va kern.hostname , > .Va kern.domainname , > .Va kern.hostid , > -- Mateusz Guzik