RFC: Jail privsets
Kyle Evans
kevans at freebsd.org
Fri Nov 27 05:04:29 UTC 2020
(Cross-posting to -arch and -jail for maximum reach)
Hi,
A couple of times recently, I've had a need or desire to increase or
decrease privileges available to jails I create to some extent. You
can write a MAC policy for this, but at some point the downsides of
MAC policies for this became clear: it's either non-trivial to allow
the kind of flexibility you may need in configuring some of these
jails, and you have to rebuild the module otherwise.
I've got a generally functional patch at [1] that is an approach I'd
like to request comments on for refining jail privileges. It creates a
privset that can be assigned on a per-jail basis, and a creator with
PRIV_JAIL_SETPRIVS can specify any privset mask that's a subset of the
parent prison.
If no privset was specified at creation time, then we use the default
logic that was previously in prison_priv_check(). prison_priv_check()
has been replaced with a much simpler check of the prison's privset
for the given privilege.
As I was writing this, I identified the first problem with it: it
doesn't currently respond to ALLOW_* updates and grant the appropriate
privileges after initialization time -- this is a pretty easy fix, and
I will do so if anyone else finds this useful.
The other caveat is that I have no idea if there's a useful way to
expose this to jail(8) users, but they're not really the primary
target for this -- the primary target is system application developers
that want more fine control over what a jail they're creating can do.
This is an excellent foot-gun, but with great power comes great responsibility.
Thanks,
Kyle Evans
[1] https://people.freebsd.org/~kevans/privset.diff
More information about the freebsd-arch
mailing list