Date: Sun, 3 Sep 2006 16:43:20 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 105601 for review Message-ID: <200609031643.k83GhKTI019163@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=105601 Change 105601 by rwatson@rwatson_sesame on 2006/09/03 16:42:46 First scratchinges at a new approach to jail and privilege: since we now have named privileges being passed in explicitly, the jail decision can be made centrally rather than scattered all over the kernel. The list of privileges here is not yet complete, though. Affected files ... .. //depot/projects/trustedbsd/priv/sys/kern/kern_jail.c#2 edit Differences ... ==== //depot/projects/trustedbsd/priv/sys/kern/kern_jail.c#2 (text+ko) ==== @@ -20,6 +20,7 @@ #include <sys/sysproto.h> #include <sys/mac.h> #include <sys/malloc.h> +#include <sys/priv.h> #include <sys/proc.h> #include <sys/taskqueue.h> #include <sys/jail.h> @@ -37,7 +38,6 @@ MALLOC_DEFINE(M_PRISON, "prison", "Prison structures"); -SYSCTL_DECL(_security); SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0, "Jail rules"); @@ -205,7 +205,7 @@ * a process root from one prison, but attached to the jail * of another. */ - error = suser(td); + error = priv_check(td, PRIV_JAIL_ATTACH); if (error) return (error); @@ -523,6 +523,103 @@ } } +/* + * Check with permission for a specific privilege is granted within jail. We + * have a specific list of accepted privileges; the rest are denied. + */ +int +prison_priv_check(struct ucred *cred, enum priv priv) +{ + + if (!(jailed(cred))) + return (0); + + switch (priv) { + case PRIV_CRED_SETUID: + case PRIV_CRED_SETEUID: + case PRIV_CRED_SETGID: + case PRIV_CRED_SETEGID: + case PRIV_CRED_SETREUID: + case PRIV_CRED_SETREGID: + case PRIV_CRED_SETRESUID: + case PRIV_CRED_SETRESGID: + case PRIV_CRED_SETGROUPS: + /* + * Grant most process credential privileges, as root within a + * jail can set up credentials as it sees fit. The ability + * to modify jail settings, and in particular to attach to a + * jail, is not granted. + */ + return (0); + + case PRIV_SIGNAL_SUGID: + case PRIV_SIGNAL_DIFFCRED: + case PRIV_PROC_SETLOGIN: + /* + * Inter-process privileges are generally granted, since a + * separate jail name space check will be performed to scope + * these calls to the current jail. + */ + return (0); + + case PRIV_SCHED_SETPRIORITY: + case PRIV_PROC_SETRLIMIT: + /* + * Root in jail can modify resource limits and scheduler + * properties as it sees fit. + */ + return (0); + + case PRIV_IPC_READ: + case PRIV_IPC_EXEC: + case PRIV_IPC_WRITE: + case PRIV_IPC_ADMIN: + case PRIV_IPC_MSGSIZE: + /* + * Grant System V IPC privileges -- we enable access to the + * services using a single setting, and assume that if System + * V IPC is available in the jail, privilege will be granted + * to root in the jail. + */ + return (0); + + case PRIV_MQ_ADMIN: + /* + * POSIX message queue administrative privilege is granted: + * if the jail can name the resource, then root in the jail + * can manage it. + */ + return (0); + + case PRIV_VFS_READ: + case PRIV_VFS_WRITE: + case PRIV_VFS_EXEC: + case PRIV_VFS_ADMIN: + case PRIV_VFS_LOOKUP: + /* + * In general, grant file permission exemption in VFS, but + * not the right to manipulate the name space (mounting, + * chroot, etc). + */ + return (0); + + case PRIV_VFS_CHFLAGS_DEV: + case PRIV_VFS_REVOKE: + /* + * Grant rights relating to managing visible device nodes and + * ttys. + */ + + return (0); + + default: + /* + * In all remaining cases, deny the privilege request. + */ + return (EPERM); + } +} + static int sysctl_jail_list(SYSCTL_HANDLER_ARGS) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200609031643.k83GhKTI019163>