From owner-trustedbsd-discuss@FreeBSD.ORG Sat Sep 23 09:26:19 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9F5E16A415; Sat, 23 Sep 2006 09:26:19 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id C5A8443D5C; Sat, 23 Sep 2006 09:26:17 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 45A8446DA8; Sat, 23 Sep 2006 05:26:17 -0400 (EDT) Date: Sat, 23 Sep 2006 10:26:17 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Max Laier In-Reply-To: <200609140253.06818.max@love2party.net> Message-ID: <20060923102438.N6562@fledge.watson.org> References: <20060913150912.J1823@fledge.watson.org> <200609140253.06818.max@love2party.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: trustedbsd-discuss@trustedbsd.org, freebsd-arch@freebsd.org Subject: Re: New in-kernel privilege API: priv(9) X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Sep 2006 09:26:19 -0000 On Thu, 14 Sep 2006, Max Laier wrote: > Right now, prison_priv_check() is looking rather scary to me. If something > else wants to decide on finer granularity, alright, but in my opinion it's > easier (more obvious) to keep the "normal" information in the .h file where > the privileges are defined and described - as we are aiming for > centralization of the decision and information. On top of that the caller > could mask off ALLOW_IN_JAIL if they think it's not appropriate in a special > use case of the privilege. The attached version of the kern_jail.c diff removes all the extra commented out privileges that aren't granted, and were largely there as development scaffolding to make sure I considered all privileges. Does this seem a bit less scary? Robert N M Watson Computer Laboratory University of Cambridge --- //depot/projects/trustedbsd/base/sys/kern/kern_jail.c 2006/09/18 08:37:28 +++ //depot/projects/trustedbsd/priv/sys/kern/kern_jail.c 2006/09/19 08:03:32 @@ -8,7 +8,7 @@ */ #include -__FBSDID("$FreeBSD: src/sys/kern/kern_jail.c,v 1.52 2006/09/17 20:00:35 rwatson Exp $"); +__FBSDID("$FreeBSD: src/sys/kern/kern_jail.c,v 1.51 2005/09/28 00:30:56 csjp Exp $"); #include "opt_mac.h" @@ -20,6 +20,7 @@ #include #include #include +#include #include #include #include @@ -204,7 +205,7 @@ * a process root from one prison, but attached to the jail * of another. */ - error = suser(td); + error = priv_check(td, PRIV_JAIL_ATTACH); if (error) return (error); @@ -522,6 +523,172 @@ } } +/* + * Check with permission for a specific privilege is granted within jail. We + * have a specific list of accepted privileges; the rest are denied. + */ +int +prison_priv_check(struct ucred *cred, enum priv priv) +{ + + if (!(jailed(cred))) + return (0); + + switch (priv) { + + /* + * Allow ktrace privileges for root in jail. + */ + case PRIV_KTRACE: + + /* + * Allow jailed processes to configure audit identity and + * submit audit records (login, etc). In the future we may + * want to further refine the relationship between audit and + * jail. + */ + case PRIV_AUDIT_GETAUDIT: + case PRIV_AUDIT_SETAUDIT: + case PRIV_AUDIT_SUBMIT: + + /* + * Allow jailed processes to manipulate process UNIX + * credentials in any way they see fit. + */ + case PRIV_CRED_SETUID: + case PRIV_CRED_SETEUID: + case PRIV_CRED_SETGID: + case PRIV_CRED_SETEGID: + case PRIV_CRED_SETGROUPS: + case PRIV_CRED_SETREUID: + case PRIV_CRED_SETREGID: + case PRIV_CRED_SETRESUID: + case PRIV_CRED_SETRESGID: + + /* + * Jail implements visibility constraints already, so allow + * jailed root to override uid/gid-based constraints. + */ + case PRIV_SEEOTHERGIDS: + case PRIV_SEEOTHERUIDS: + + /* + * Jail implements inter-process debugging limits already, so + * allow jailed root various debugging privileges. + */ + case PRIV_DEBUG_DIFFCRED: + case PRIV_DEBUG_SUGID: + case PRIV_DEBUG_UNPRIV: + + /* + * Allow jail to set various resource limits and login + * properties, and for now, exceed process resource limits. + */ + case PRIV_PROC_LIMIT: + case PRIV_PROC_SETLOGIN: + case PRIV_PROC_SETRLIMIT: + + /* + * The following privileges should be granted to jail once + * implemented. + */ + /* case PRIV_IPC_READ: */ + /* case PRIV_IPC_WRITE: */ + /* case PRIV_IPC_EXEC: */ + /* case PRIV_IPC_ADMIN: */ + /* case PRIV_IPC_MSGSIZE: */ + /* case PRIV_MQ_ADMIN: */ + + /* + * Jail implements its own inter-process limits, so allow + * root processes in jail to change scheduling on other + * processes in the same jail. Likewise for signalling. + */ + case PRIV_SCHED_DIFFCRED: + case PRIV_SIGNAL_DIFFCRED: + case PRIV_SIGNAL_SUGID: + + /* + * Allow jailed processes to write to sysctls marked as jail + * writable. + */ + case PRIV_SYSCTL_WRITEJAIL: + + /* + * Allow root in jail to manage a variety of quota + * properties. Some are a bit surprising and should be + * reconsidered. + */ + case PRIV_UFS_GETQUOTA: + case PRIV_UFS_QUOTAOFF: /* XXXRW: Slightly surprising. */ + case PRIV_UFS_QUOTAON: /* XXXRW: Slightly surprising. */ + case PRIV_UFS_SETQUOTA: + case PRIV_UFS_SETUSE: /* XXXRW: Slightly surprising. */ + + /* + * Since Jail relies on chroot() to implement file system + * protections, grant many VFS privileges to root in jail. + * Be careful to exclude mount-related and NFS-related + * privileges. + */ + case PRIV_VFS_READ: + case PRIV_VFS_WRITE: + case PRIV_VFS_ADMIN: + case PRIV_VFS_EXEC: + case PRIV_VFS_LOOKUP: + case PRIV_VFS_BLOCKRESERVE: /* XXXRW: Slightly surprising. */ + case PRIV_VFS_CHFLAGS_DEV: + case PRIV_VFS_CHOWN: + case PRIV_VFS_CHROOT: + case PRIV_VFS_CLEARSUGID: + case PRIV_VFS_FCHROOT: + case PRIV_VFS_LINK: + case PRIV_VFS_SETGID: + case PRIV_VFS_STICKYFILE: + return (0); + + /* + * Depending on the global setting, allow privilege of + * setting system flags. + */ + case PRIV_VFS_SYSFLAGS: + if (jail_chflags_allowed) + return (0); + else + return (EPERM); + + /* + * Allow jailed root to bind reserved ports. + */ + case PRIV_NETINET_RESERVEDPORT: + return (0); + + /* + * Conditionally allow creating raw sockets in jail. + */ + case PRIV_NETINET_RAW: + if (jail_allow_raw_sockets) + return (0); + else + return (EPERM); + + /* + * Since jail implements its own visibility limits on netstat + * sysctls, allow getcred. This allows identd to work in + * jail. + */ + case PRIV_NETINET_GETCRED: + return (0); + + default: + /* + * In all remaining cases, deny the privilege request. This + * includes almost all network privileges, many system + * configuration privileges. + */ + return (EPERM); + } +} + static int sysctl_jail_list(SYSCTL_HANDLER_ARGS) {