RFC: Jail privsets

[Kyle Evans]

(Cross-posting to -arch and -jail for maximum reach)

Hi,

A couple of times recently, I've had a need or desire to increase or
decrease privileges available to jails I create to some extent. You
can write a MAC policy for this, but at some point the downsides of
MAC policies for this became clear: it's either non-trivial to allow
the kind of flexibility you may need in configuring some of these
jails, and you have to rebuild the module otherwise.

I've got a generally functional patch at [1] that is an approach I'd
like to request comments on for refining jail privileges. It creates a
privset that can be assigned on a per-jail basis, and a creator with
PRIV_JAIL_SETPRIVS can specify any privset mask that's a subset of the
parent prison.

If no privset was specified at creation time, then we use the default
logic that was previously in prison_priv_check(). prison_priv_check()
has been replaced with a much simpler check of the prison's privset
for the given privilege.

As I was writing this, I identified the first problem with it: it
doesn't currently respond to ALLOW_* updates and grant the appropriate
privileges after initialization time -- this is a pretty easy fix, and
I will do so if anyone else finds this useful.

The other caveat is that I have no idea if there's a useful way to
expose this to jail(8) users, but they're not really the primary
target for this -- the primary target is system application developers
that want more fine control over what a jail they're creating can do.

This is an excellent foot-gun, but with great power comes great responsibility.

Thanks,

Kyle Evans

[1] https://people.freebsd.org/~kevans/privset.diff