git: cb48780db4d6 - main - jail: Add the ability to access system-level filesystem extended attributes
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 01 Sep 2023 08:14:44 UTC
The branch main has been updated by dchagin:
URL: https://cgit.FreeBSD.org/src/commit/?id=cb48780db4d6d276d0abd2f84d41185fce17ff83
commit cb48780db4d6d276d0abd2f84d41185fce17ff83
Author: Shawn Webb <shawn.webb@hardenedbsd.org>
AuthorDate: 2023-09-01 08:11:33 +0000
Commit: Dmitry Chagin <dchagin@FreeBSD.org>
CommitDate: 2023-09-01 08:11:33 +0000
jail: Add the ability to access system-level filesystem extended attributes
Prior to this commit privileged accounts in a jail could not access to the
filesystem extended attributes in the system namespace. To control access to
the system namespace in a per-jail basis add a new configuration parameter
allow.extattr which is off by default.
Reported by: zirias
Tested by: zirias
Obtained from: HardenedBSD
Reviewed by: kevans, jamie
Differential revision: https://reviews.freebsd.org/D41643
MFC after: 1 week
Relnotes: yes
---
sys/kern/kern_jail.c | 14 ++++++++++++++
sys/sys/jail.h | 3 ++-
usr.sbin/jail/jail.8 | 8 ++++++--
3 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 39bdcaf5ef0e..0c1f565638da 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -220,6 +220,7 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = {
#ifdef VIMAGE
{"allow.nfsd", "allow.nonfsd", PR_ALLOW_NFSD},
#endif
+ {"allow.extattr", "allow.noextattr", PR_ALLOW_EXTATTR},
};
static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC;
const size_t pr_flag_allow_size = sizeof(pr_flag_allow);
@@ -4059,6 +4060,17 @@ prison_priv_check(struct ucred *cred, int priv)
case PRIV_VFS_READ_DIR:
return (0);
+ /*
+ * Conditionally allow privileged process in the jail to
+ * manipulate filesystem extended attributes in the system
+ * namespace.
+ */
+ case PRIV_VFS_EXTATTR_SYSTEM:
+ if ((cred->cr_prison->pr_allow & PR_ALLOW_EXTATTR) != 0)
+ return (0);
+ else
+ return (EPERM);
+
/*
* Conditionnaly allow locking (unlocking) physical pages
* in memory.
@@ -4552,6 +4564,8 @@ SYSCTL_JAIL_PARAM(_allow, suser, CTLTYPE_INT | CTLFLAG_RW,
SYSCTL_JAIL_PARAM(_allow, nfsd, CTLTYPE_INT | CTLFLAG_RW,
"B", "Mountd/nfsd may run in the jail");
#endif
+SYSCTL_JAIL_PARAM(_allow, extattr, CTLTYPE_INT | CTLFLAG_RW,
+ "B", "Jail may set system-level filesystem extended attributes");
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
diff --git a/sys/sys/jail.h b/sys/sys/jail.h
index 088a0bc33d6d..fb8858f73453 100644
--- a/sys/sys/jail.h
+++ b/sys/sys/jail.h
@@ -253,7 +253,8 @@ struct prison_racct {
#define PR_ALLOW_RESERVED_PORTS 0x00008000
#define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */
#define PR_ALLOW_NFSD 0x00020000
-#define PR_ALLOW_ALL_STATIC 0x000387ff
+#define PR_ALLOW_EXTATTR 0x00040000
+#define PR_ALLOW_ALL_STATIC 0x000787ff
/*
* PR_ALLOW_DIFFERENCES determines which flags are able to be
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index 0e98914795a2..f6fd04d52162 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd August 26, 2023
+.Dd September 1, 2023
.Dt JAIL 8
.Os
.Sh NAME
@@ -642,6 +642,9 @@ sysctl.
The super-user will be disabled automatically if its parent system has it
disabled.
The super-user is enabled by default.
+.It Va allow.extattr
+Allow privileged process in the jail to manipulate filesystem extended
+attributes in the system namespace.
.El
.El
.Pp
@@ -1414,7 +1417,8 @@ environment of the first jail.
.Xr shutdown 8 ,
.Xr sysctl 8 ,
.Xr syslogd 8 ,
-.Xr umount 8
+.Xr umount 8 ,
+.Xr extattr 9
.Sh HISTORY
The
.Nm