From owner-p4-projects@FreeBSD.ORG Mon Sep 18 09:17:49 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 714E116A49E; Mon, 18 Sep 2006 09:17:49 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3382816A47E for ; Mon, 18 Sep 2006 09:17:49 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 73FE543D5A for ; Mon, 18 Sep 2006 09:17:48 +0000 (GMT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k8I9HmIi071987 for ; Mon, 18 Sep 2006 09:17:48 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k8I9Hmf6071984 for perforce@freebsd.org; Mon, 18 Sep 2006 09:17:48 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Mon, 18 Sep 2006 09:17:48 GMT Message-Id: <200609180917.k8I9Hmf6071984@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Cc: Subject: PERFORCE change 106285 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Sep 2006 09:17:49 -0000 http://perforce.freebsd.org/chv.cgi?CH=106285 Change 106285 by rwatson@rwatson_peppercorn on 2006/09/18 09:16:49 Remove commented out privileges (in most cases) for jail, and annotate which privileges are allowed and why in comments. Affected files ... .. //depot/projects/trustedbsd/priv/sys/kern/kern_jail.c#4 edit Differences ... ==== //depot/projects/trustedbsd/priv/sys/kern/kern_jail.c#4 (text+ko) ==== @@ -535,32 +535,26 @@ return (0); switch (priv) { - /* case PRIV_ROOT: */ - /* case PRIV_ACCT: */ - /* case PRIV_MAXFILES: */ - /* case PRIV_MAXPROC: */ + + /* + * Allow ktrace privileges for root in jail. + */ case PRIV_KTRACE: - /* case PRIV_SETDUMPER: */ - /* case PRIV_NFSD: */ - /* case PRIV_REBOOT: */ - /* case PRIV_SWAPON: */ - /* case PRIV_SWAPOFF: */ - /* case PRIV_MSGBUF: */ - /* case PRIV_WITNESS: */ - /* case PRIV_IO: */ - /* case PRIV_KEYBOARD: */ - /* case PRIV_DRIVER: */ - /* case PRIV_ADJTIME: */ - /* case PRIV_NTP_ADJTIME: */ - /* case PRIV_CLOCK_SETTIME: */ - /* case PRIV_SETTIMEOFDAY: */ - /* case PRIV_SETHOSTID: */ - /* case PRIV_SETDOMAINNAME: */ - /* case PRIV_AUDIT_CONTROL: */ - /* case PRIV_AUDIT_FAILSTOP: */ + + /* + * Allow jailed processes to configure audit identity and + * submit audit records (login, etc). In the future we may + * want to further refine the relationship between audit and + * jail. + */ case PRIV_AUDIT_GETAUDIT: case PRIV_AUDIT_SETAUDIT: case PRIV_AUDIT_SUBMIT: + + /* + * Allow jailed processes to manipulate process UNIX + * credentials in any way they sees fit. + */ case PRIV_CRED_SETUID: case PRIV_CRED_SETEUID: case PRIV_CRED_SETGID: @@ -570,57 +564,73 @@ case PRIV_CRED_SETREGID: case PRIV_CRED_SETRESUID: case PRIV_CRED_SETRESGID: + + /* + * Jail implements visibility constraints already, so allow + * jailed root to override uid/gid-based constraints. + */ case PRIV_SEEOTHERGIDS: case PRIV_SEEOTHERUIDS: + + /* + * Jail implements inter-process debugging limits already, so + * allow jailed root various debugging privileges. + */ case PRIV_DEBUG_DIFFCRED: case PRIV_DEBUG_SUGID: case PRIV_DEBUG_UNPRIV: - /* case PRIV_FIRMWARE_LOAD: */ - /* case PRIV_JAIL_ATTACH: */ - /* case PRIV_KENV_SET: */ - /* case PRIV_KENV_UNSET: */ - /* case PRIV_KLD_LOAD: */ - /* case PRIV_KLD_UNLOAD: */ - /* case PRIV_MAC_PARTITION: */ + + /* + * Allow jail to set various resource limits and login + * properties, and for now, exceed process resource limits. + */ case PRIV_PROC_LIMIT: case PRIV_PROC_SETLOGIN: case PRIV_PROC_SETRLIMIT: - /* XXXRW: Not yet. */ + /* + * The following privileges should be granted to jail once + * implemented. + */ /* case PRIV_IPC_READ: */ /* case PRIV_IPC_WRITE: */ /* case PRIV_IPC_EXEC: */ /* case PRIV_IPC_ADMIN: */ /* case PRIV_IPC_MSGSIZE: */ /* case PRIV_MQ_ADMIN: */ - /* case PRIV_PMC_MANAGE: */ - /* case PRIV_PMC_SYSTEM: */ + + /* + * Jail implements its own inter-process limits, so allow + * root processes in jail to change scheduling on other + * processes in the same jail. Likewise for signalling. + */ case PRIV_SCHED_DIFFCRED: - /* case PRIV_SCHED_SETPRIORITY: */ - /* case PRIV_SCHED_RTPRIO: */ - /* case PRIV_SCHED_SETPOLICY: */ - /* case PRIV_SCHED_SET: */ - /* case PRIV_SCHED_SETPARAM: */ - /* case PRIV_SEM_WRITE: */ case PRIV_SIGNAL_DIFFCRED: case PRIV_SIGNAL_SUGID: - /* case PRIV_SYSCTL_DEBUG: */ - /* case PRIV_SYSCTL_WRITE: */ + + /* + * Allow jailed processes to write to sysctls marked as jail + * writable. + */ case PRIV_SYSCTL_WRITEJAIL: - /* case PRIV_TTY_CONSOLE: */ - /* case PRIV_TTY_DRAINWAIT: */ - /* case PRIV_TTY_DTRWAIT: */ - /* case PRIV_TTY_EXCLUSIVE: */ - /* case PRIV_TTY_PRISON: */ - /* case PRIV_TTY_STI: */ - /* case PRIV_TTY_SETA: */ - /* case PRIV_UFS_EXTATTRCTL: */ + + /* + * Allow root in jail to manage a variety of quota + * properties. Some are a bit surprising and should be + * reconsidered. + */ case PRIV_UFS_GETQUOTA: case PRIV_UFS_QUOTAOFF: /* XXXRW: Slightly surprising. */ case PRIV_UFS_QUOTAON: /* XXXRW: Slightly surprising. */ case PRIV_UFS_SETQUOTA: case PRIV_UFS_SETUSE: /* XXXRW: Slightly surprising. */ - /* case PRIV_UFS_EXCEEDQUOTA: */ + + /* + * Since Jail relies on chroot() to implement file system + * protections, grant many VFS privileges to root in jail. + * Be careful to exclude mount-related and NFS-related + * privileges. + */ case PRIV_VFS_READ: case PRIV_VFS_WRITE: case PRIV_VFS_ADMIN: @@ -631,97 +641,49 @@ case PRIV_VFS_CHOWN: case PRIV_VFS_CHROOT: case PRIV_VFS_CLEARSUGID: - /* case PRIV_VFS_EXTATTR_SYSTEM: */ case PRIV_VFS_FCHROOT: - /* case PRIV_VFS_FHOPEN: */ - /* case PRIV_VFS_FHSTAT: */ - /* case PRIV_VFS_FHSTATFS: */ - /* case PRIV_VFS_GENERATION: */ - /* case PRIV_VFS_GETFH: */ case PRIV_VFS_LINK: - /* case PRIV_VFS_MKNOD_DEV: */ - /* case PRIV_VFS_MOUNT: */ - /* case PRIV_VFS_MOUNT_OWNER: */ - /* case PRIV_VFS_MOUNT_EXPORTED: */ - /* case PRIV_VFS_MOUNT_PERM: */ - /* case PRIV_VFS_MOUNT_SUIDDIR: */ case PRIV_VFS_SETGID: case PRIV_VFS_STICKYFILE: return (0); + /* + * Depending on the global setting, allow privilege of + * setting system flags. + */ case PRIV_VFS_SYSFLAGS: if (jail_chflags_allowed) return (0); else return (EPERM); - /* case PRIV_VFS_UNMOUNT: */ - /* case PRIV_VM_MADV_PROTECT: */ - /* case PRIV_VM_MLOCK: */ - /* case PRIV_VM_MUNLOCK: */ - /* case PRIV_DEVFS_RULE: */ - /* case PRIV_DEVFS_SYMLINK: */ - /* case PRIV_RANDOM_RESEED: */ - /* case PRIV_NET_BRIDGE: */ - /* case PRIV_NET_GRE: */ - /* case PRIV_NET_PPP: */ - /* case PRIV_NET_SLIP: */ - /* case PRIV_NET_BPF: */ - /* case PRIV_NET_RAW: */ - /* case PRIV_NET_ROUTE: */ - /* case PRIV_NET_TAP: */ - /* case PRIV_NET_SETIFMTU: */ - /* case PRIV_NET_SETIFFLAGS: */ - /* case PRIV_NET_SETIFCAP: */ - /* case PRIV_NET_SETIFNAME: */ - /* case PRIV_NET_SETIFMETRIC: */ - /* case PRIV_NET_SETIFPHYS: */ - /* case PRIV_NET_SETIFMAC: */ - /* case PRIV_NET_ADDMULTI: */ - /* case PRIV_NET_DELMULTI: */ - /* case PRIV_NET_HWIOCTL: */ - /* case PRIV_NET_SETLLADDR: */ - /* case PRIV_NET_ADDIFGROUP: */ - /* case PRIV_NET_DELIFGROUP: */ - /* case PRIV_NET_IFCREATE: */ - /* case PRIV_NET_IFDESTROY: */ - /* case PRIV_NET80211_GETKEY: */ - /* case PRIV_NET80211_MANAGE: */ - /* case PRIV_NETATALK_RESERVEDPORT: */ - /* case PRIV_NETATM_CFG: */ - /* case PRIV_NETATM_ADD: */ - /* case PRIV_NETATM_DEL: */ - /* case PRIV_NETATM_SET: */ - /* case PRIV_NETGRAPH_CONTROL: */ - /* case PRIV_NETGRAPH_TTY: */ + /* + * Allow jailed root to bind reserved ports. + */ case PRIV_NETINET_RESERVEDPORT: return (0); - /* case PRIV_NETINET_IPFW: */ - /* case PRIV_NETINET_DIVERT: */ - /* case PRIV_NETINET_PF: */ - /* case PRIV_NETINET_DUMMYNET: */ - /* case PRIV_NETINET_CARP: */ - /* case PRIV_NETINET_MROUTE: */ + + /* + * Conditionally allow creating raw sockets in jail. + */ case PRIV_NETINET_RAW: if (jail_allow_raw_sockets) return (0); else return (EPERM); + + /* + * Since jail implements its own visibility limits on netstat + * sysctls, allow getcred. This allows identd to work in + * jail. + */ case PRIV_NETINET_GETCRED: - /* case PRIV_NETINET_ADDRCTRL6: */ - /* case PRIV_NETINET_ND6: */ - /* case PRIV_NETINET_SCOPE6: */ - /* case PRIV_NETINET_ALIFETIME6: */ - /* case PRIV_NETINET_IPSEC: */ - /* case PRIV_NETIPX_RESERVEDPORT: */ - /* case PRIV_NETIPX_RAW: */ - /* case PRIV_NETNCP: */ - /* case PRIV_NETSMB: */ - /* case PRIV_VM86_INTCALL: */ default: /* - * In all remaining cases, deny the privilege request. + * In all remaining cases, deny the privilege request. This + * includes almost all network privileges, many system + * configuration privileges. */ return (EPERM); }