git: cb48780db4d6 - main - jail: Add the ability to access system-level filesystem extended attributes
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 01 Sep 2023 08:14:44 UTC
The branch main has been updated by dchagin: URL: https://cgit.FreeBSD.org/src/commit/?id=cb48780db4d6d276d0abd2f84d41185fce17ff83 commit cb48780db4d6d276d0abd2f84d41185fce17ff83 Author: Shawn Webb <shawn.webb@hardenedbsd.org> AuthorDate: 2023-09-01 08:11:33 +0000 Commit: Dmitry Chagin <dchagin@FreeBSD.org> CommitDate: 2023-09-01 08:11:33 +0000 jail: Add the ability to access system-level filesystem extended attributes Prior to this commit privileged accounts in a jail could not access to the filesystem extended attributes in the system namespace. To control access to the system namespace in a per-jail basis add a new configuration parameter allow.extattr which is off by default. Reported by: zirias Tested by: zirias Obtained from: HardenedBSD Reviewed by: kevans, jamie Differential revision: https://reviews.freebsd.org/D41643 MFC after: 1 week Relnotes: yes --- sys/kern/kern_jail.c | 14 ++++++++++++++ sys/sys/jail.h | 3 ++- usr.sbin/jail/jail.8 | 8 ++++++-- 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 39bdcaf5ef0e..0c1f565638da 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -220,6 +220,7 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = { #ifdef VIMAGE {"allow.nfsd", "allow.nonfsd", PR_ALLOW_NFSD}, #endif + {"allow.extattr", "allow.noextattr", PR_ALLOW_EXTATTR}, }; static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC; const size_t pr_flag_allow_size = sizeof(pr_flag_allow); @@ -4059,6 +4060,17 @@ prison_priv_check(struct ucred *cred, int priv) case PRIV_VFS_READ_DIR: return (0); + /* + * Conditionally allow privileged process in the jail to + * manipulate filesystem extended attributes in the system + * namespace. + */ + case PRIV_VFS_EXTATTR_SYSTEM: + if ((cred->cr_prison->pr_allow & PR_ALLOW_EXTATTR) != 0) + return (0); + else + return (EPERM); + /* * Conditionnaly allow locking (unlocking) physical pages * in memory. @@ -4552,6 +4564,8 @@ SYSCTL_JAIL_PARAM(_allow, suser, CTLTYPE_INT | CTLFLAG_RW, SYSCTL_JAIL_PARAM(_allow, nfsd, CTLTYPE_INT | CTLFLAG_RW, "B", "Mountd/nfsd may run in the jail"); #endif +SYSCTL_JAIL_PARAM(_allow, extattr, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may set system-level filesystem extended attributes"); SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, diff --git a/sys/sys/jail.h b/sys/sys/jail.h index 088a0bc33d6d..fb8858f73453 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -253,7 +253,8 @@ struct prison_racct { #define PR_ALLOW_RESERVED_PORTS 0x00008000 #define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */ #define PR_ALLOW_NFSD 0x00020000 -#define PR_ALLOW_ALL_STATIC 0x000387ff +#define PR_ALLOW_EXTATTR 0x00040000 +#define PR_ALLOW_ALL_STATIC 0x000787ff /* * PR_ALLOW_DIFFERENCES determines which flags are able to be diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 0e98914795a2..f6fd04d52162 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd August 26, 2023 +.Dd September 1, 2023 .Dt JAIL 8 .Os .Sh NAME @@ -642,6 +642,9 @@ sysctl. The super-user will be disabled automatically if its parent system has it disabled. The super-user is enabled by default. +.It Va allow.extattr +Allow privileged process in the jail to manipulate filesystem extended +attributes in the system namespace. .El .El .Pp @@ -1414,7 +1417,8 @@ environment of the first jail. .Xr shutdown 8 , .Xr sysctl 8 , .Xr syslogd 8 , -.Xr umount 8 +.Xr umount 8 , +.Xr extattr 9 .Sh HISTORY The .Nm