From nobody Fri Sep 01 08:14:44 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RcW6D4D5nz4sF0V; Fri, 1 Sep 2023 08:14:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RcW6D3Xfjz3KZ4; Fri, 1 Sep 2023 08:14:44 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1693556084; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=W1r9h4vjdqi98fup6XT5wtFpdmYo8fNkAipMbte40VY=; b=U9wau1nvIBIgDyBPhhWsp8BacytaTk5mmuzWyvjK3rPkK+dIHNRKacDL2vfmublqx+qUdY vrUOjH3xocetnz0ojFZfRSTKq9QBW1hijIYoTaRFw0xw4xuM5/5fBiHwqbkxLBef8KnxXh jo9DDIjYbru3LXBWLrOJeK+YFeVhyO7vKpSnTpdSHPxq1xBNi9xERQvsQ0Yhg2GPOYt6En PJHZ4EheR68iV0hRlDyGCDKRgmOd+k/rWTL3dDQRtVcDzCJYM9tVnCKOpNYqRY5D7Wm1nO NG3BbnqSbk9qsSShBRz0ZtUK62BJqD1yjowx+0BUCKcpxh0QL6qtk2OC+7KVGQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1693556084; a=rsa-sha256; cv=none; b=aFSCw7HQH31ESe/KEkm1/bB0MgafPMmG07CBBm2ESu/wen7Sn6dPlTIUTqXjD1esZXScvM ZGrHrXoCN6ZDQYe63cRIM5yw22ijbEAUwA5sDM7vHencumXQNS7QU6TO2PCD+Pk2QjdzXE /jjtPMlOToP6W4zGAckbLWqfB+i3ha5f+kJ6ZZXMs7qtfu/r0xPMlEig35Mp5KeTXvFl9V ShHm7uqnRuAPIBTOjThE8Xh1Kfmy+KBb9QEXyWHvk31HI+O417AT+s1IMXc6Z2zZEPTZ25 juveKKqI7m5VXAk8SFbq7UMRqiR8Fa7C0URbclvHJ56LLXrS4o8XuERCVecwWQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1693556084; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=W1r9h4vjdqi98fup6XT5wtFpdmYo8fNkAipMbte40VY=; b=HfqcaQ26aRnNzS97UYecJCFcMHv8p3AuYRyhmCNV27ntOkgJaNLPdpuQFadBhCQH9dtBy9 ltMJowOxmiS/2nfT/awypa/6h5aGENCoS326hBg1d2z24JxBP+DdO+rr16wE0f+GTtMGce OhsNm+iwo1W9jW3VbcjSwV3S3Bf0LJY34AAqTWA7MV/KBgek9Bs6S47Wze8SIFapUfSPrc a8i8l/oVHOvX7lGays83ALHeMFjS/JP66fCSjpoTQC6jOJ6yIWDFSIY9oFfXqoLU4iHs0l 7jIR85gHi6ywxCz3Eo/A49jfjkmf1XYTYgCcx0B5/90dDqwnqMAc/9ILhIguXg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RcW6D2fGRztP3; Fri, 1 Sep 2023 08:14:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3818EiLX008491; Fri, 1 Sep 2023 08:14:44 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3818EiJK008488; Fri, 1 Sep 2023 08:14:44 GMT (envelope-from git) Date: Fri, 1 Sep 2023 08:14:44 GMT Message-Id: <202309010814.3818EiJK008488@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Dmitry Chagin Subject: git: cb48780db4d6 - main - jail: Add the ability to access system-level filesystem extended attributes List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: dchagin X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: cb48780db4d6d276d0abd2f84d41185fce17ff83 Auto-Submitted: auto-generated The branch main has been updated by dchagin: URL: https://cgit.FreeBSD.org/src/commit/?id=cb48780db4d6d276d0abd2f84d41185fce17ff83 commit cb48780db4d6d276d0abd2f84d41185fce17ff83 Author: Shawn Webb AuthorDate: 2023-09-01 08:11:33 +0000 Commit: Dmitry Chagin CommitDate: 2023-09-01 08:11:33 +0000 jail: Add the ability to access system-level filesystem extended attributes Prior to this commit privileged accounts in a jail could not access to the filesystem extended attributes in the system namespace. To control access to the system namespace in a per-jail basis add a new configuration parameter allow.extattr which is off by default. Reported by: zirias Tested by: zirias Obtained from: HardenedBSD Reviewed by: kevans, jamie Differential revision: https://reviews.freebsd.org/D41643 MFC after: 1 week Relnotes: yes --- sys/kern/kern_jail.c | 14 ++++++++++++++ sys/sys/jail.h | 3 ++- usr.sbin/jail/jail.8 | 8 ++++++-- 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 39bdcaf5ef0e..0c1f565638da 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -220,6 +220,7 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = { #ifdef VIMAGE {"allow.nfsd", "allow.nonfsd", PR_ALLOW_NFSD}, #endif + {"allow.extattr", "allow.noextattr", PR_ALLOW_EXTATTR}, }; static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC; const size_t pr_flag_allow_size = sizeof(pr_flag_allow); @@ -4059,6 +4060,17 @@ prison_priv_check(struct ucred *cred, int priv) case PRIV_VFS_READ_DIR: return (0); + /* + * Conditionally allow privileged process in the jail to + * manipulate filesystem extended attributes in the system + * namespace. + */ + case PRIV_VFS_EXTATTR_SYSTEM: + if ((cred->cr_prison->pr_allow & PR_ALLOW_EXTATTR) != 0) + return (0); + else + return (EPERM); + /* * Conditionnaly allow locking (unlocking) physical pages * in memory. @@ -4552,6 +4564,8 @@ SYSCTL_JAIL_PARAM(_allow, suser, CTLTYPE_INT | CTLFLAG_RW, SYSCTL_JAIL_PARAM(_allow, nfsd, CTLTYPE_INT | CTLFLAG_RW, "B", "Mountd/nfsd may run in the jail"); #endif +SYSCTL_JAIL_PARAM(_allow, extattr, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may set system-level filesystem extended attributes"); SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, diff --git a/sys/sys/jail.h b/sys/sys/jail.h index 088a0bc33d6d..fb8858f73453 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -253,7 +253,8 @@ struct prison_racct { #define PR_ALLOW_RESERVED_PORTS 0x00008000 #define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */ #define PR_ALLOW_NFSD 0x00020000 -#define PR_ALLOW_ALL_STATIC 0x000387ff +#define PR_ALLOW_EXTATTR 0x00040000 +#define PR_ALLOW_ALL_STATIC 0x000787ff /* * PR_ALLOW_DIFFERENCES determines which flags are able to be diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 0e98914795a2..f6fd04d52162 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd August 26, 2023 +.Dd September 1, 2023 .Dt JAIL 8 .Os .Sh NAME @@ -642,6 +642,9 @@ sysctl. The super-user will be disabled automatically if its parent system has it disabled. The super-user is enabled by default. +.It Va allow.extattr +Allow privileged process in the jail to manipulate filesystem extended +attributes in the system namespace. .El .El .Pp @@ -1414,7 +1417,8 @@ environment of the first jail. .Xr shutdown 8 , .Xr sysctl 8 , .Xr syslogd 8 , -.Xr umount 8 +.Xr umount 8 , +.Xr extattr 9 .Sh HISTORY The .Nm