PERFORCE change 105601 for review
Robert Watson
rwatson at FreeBSD.org
Sun Sep 3 16:47:01 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=105601
Change 105601 by rwatson at rwatson_sesame on 2006/09/03 16:42:46
First scratchinges at a new approach to jail and privilege: since
we now have named privileges being passed in explicitly, the jail
decision can be made centrally rather than scattered all over the
kernel. The list of privileges here is not yet complete, though.
Affected files ...
.. //depot/projects/trustedbsd/priv/sys/kern/kern_jail.c#2 edit
Differences ...
==== //depot/projects/trustedbsd/priv/sys/kern/kern_jail.c#2 (text+ko) ====
@@ -20,6 +20,7 @@
#include <sys/sysproto.h>
#include <sys/mac.h>
#include <sys/malloc.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/taskqueue.h>
#include <sys/jail.h>
@@ -37,7 +38,6 @@
MALLOC_DEFINE(M_PRISON, "prison", "Prison structures");
-SYSCTL_DECL(_security);
SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0,
"Jail rules");
@@ -205,7 +205,7 @@
* a process root from one prison, but attached to the jail
* of another.
*/
- error = suser(td);
+ error = priv_check(td, PRIV_JAIL_ATTACH);
if (error)
return (error);
@@ -523,6 +523,103 @@
}
}
+/*
+ * Check with permission for a specific privilege is granted within jail. We
+ * have a specific list of accepted privileges; the rest are denied.
+ */
+int
+prison_priv_check(struct ucred *cred, enum priv priv)
+{
+
+ if (!(jailed(cred)))
+ return (0);
+
+ switch (priv) {
+ case PRIV_CRED_SETUID:
+ case PRIV_CRED_SETEUID:
+ case PRIV_CRED_SETGID:
+ case PRIV_CRED_SETEGID:
+ case PRIV_CRED_SETREUID:
+ case PRIV_CRED_SETREGID:
+ case PRIV_CRED_SETRESUID:
+ case PRIV_CRED_SETRESGID:
+ case PRIV_CRED_SETGROUPS:
+ /*
+ * Grant most process credential privileges, as root within a
+ * jail can set up credentials as it sees fit. The ability
+ * to modify jail settings, and in particular to attach to a
+ * jail, is not granted.
+ */
+ return (0);
+
+ case PRIV_SIGNAL_SUGID:
+ case PRIV_SIGNAL_DIFFCRED:
+ case PRIV_PROC_SETLOGIN:
+ /*
+ * Inter-process privileges are generally granted, since a
+ * separate jail name space check will be performed to scope
+ * these calls to the current jail.
+ */
+ return (0);
+
+ case PRIV_SCHED_SETPRIORITY:
+ case PRIV_PROC_SETRLIMIT:
+ /*
+ * Root in jail can modify resource limits and scheduler
+ * properties as it sees fit.
+ */
+ return (0);
+
+ case PRIV_IPC_READ:
+ case PRIV_IPC_EXEC:
+ case PRIV_IPC_WRITE:
+ case PRIV_IPC_ADMIN:
+ case PRIV_IPC_MSGSIZE:
+ /*
+ * Grant System V IPC privileges -- we enable access to the
+ * services using a single setting, and assume that if System
+ * V IPC is available in the jail, privilege will be granted
+ * to root in the jail.
+ */
+ return (0);
+
+ case PRIV_MQ_ADMIN:
+ /*
+ * POSIX message queue administrative privilege is granted:
+ * if the jail can name the resource, then root in the jail
+ * can manage it.
+ */
+ return (0);
+
+ case PRIV_VFS_READ:
+ case PRIV_VFS_WRITE:
+ case PRIV_VFS_EXEC:
+ case PRIV_VFS_ADMIN:
+ case PRIV_VFS_LOOKUP:
+ /*
+ * In general, grant file permission exemption in VFS, but
+ * not the right to manipulate the name space (mounting,
+ * chroot, etc).
+ */
+ return (0);
+
+ case PRIV_VFS_CHFLAGS_DEV:
+ case PRIV_VFS_REVOKE:
+ /*
+ * Grant rights relating to managing visible device nodes and
+ * ttys.
+ */
+
+ return (0);
+
+ default:
+ /*
+ * In all remaining cases, deny the privilege request.
+ */
+ return (EPERM);
+ }
+}
+
static int
sysctl_jail_list(SYSCTL_HANDLER_ARGS)
{
More information about the trustedbsd-cvs
mailing list