PERFORCE change 105881 for review

Robert Watson rwatson at FreeBSD.org
Sat Sep 9 10:01:50 UTC 2006 

http://perforce.freebsd.org/chv.cgi?CH=105881

Change 105881 by rwatson at rwatson_sesame on 2006/09/09 10:01:13

	Complete privilege mapping for Jail.

Affected files ...

.. //depot/projects/trustedbsd/priv/sys/kern/kern_jail.c#3 edit

Differences ...

==== //depot/projects/trustedbsd/priv/sys/kern/kern_jail.c#3 (text+ko) ====

@@ -535,82 +535,189 @@
 		return (0);
 
 	switch (priv) {
+	/* case PRIV_ROOT: */
+	/* case PRIV_ACCT: */
+	/* case PRIV_MAXFILES: */
+	/* case PRIV_MAXPROC: */
+	case PRIV_KTRACE:
+	/* case PRIV_SETDUMPER: */
+	/* case PRIV_NFSD: */
+	/* case PRIV_REBOOT: */
+	/* case PRIV_SWAPON: */
+	/* case PRIV_SWAPOFF: */
+	/* case PRIV_MSGBUF: */
+	/* case PRIV_WITNESS: */
+	/* case PRIV_IO: */
+	/* case PRIV_KEYBOARD: */
+	/* case PRIV_DRIVER: */
+	/* case PRIV_ADJTIME: */
+	/* case PRIV_NTP_ADJTIME: */
+	/* case PRIV_CLOCK_SETTIME: */
+	/* case PRIV_SETTIMEOFDAY: */
+	/* case PRIV_SETHOSTID: */
+	/* case PRIV_SETDOMAINNAME: */
+	/* case PRIV_AUDIT_CONTROL: */
+	/* case PRIV_AUDIT_FAILSTOP: */
+	case PRIV_AUDIT_GETAUDIT:
+	case PRIV_AUDIT_SETAUDIT:
+	case PRIV_AUDIT_SUBMIT:
 	case PRIV_CRED_SETUID:
 	case PRIV_CRED_SETEUID:
 	case PRIV_CRED_SETGID:
 	case PRIV_CRED_SETEGID:
+	case PRIV_CRED_SETGROUPS:
 	case PRIV_CRED_SETREUID:
 	case PRIV_CRED_SETREGID:
 	case PRIV_CRED_SETRESUID:
 	case PRIV_CRED_SETRESGID:
-	case PRIV_CRED_SETGROUPS:
-		/*
-		 * Grant most process credential privileges, as root within a
-		 * jail can set up credentials as it sees fit.  The ability
-		 * to modify jail settings, and in particular to attach to a
-		 * jail, is not granted.
-		 */
-		return (0);
-
-	case PRIV_SIGNAL_SUGID:
-	case PRIV_SIGNAL_DIFFCRED:
+	case PRIV_SEEOTHERGIDS:
+	case PRIV_SEEOTHERUIDS:
+	case PRIV_DEBUG_DIFFCRED:
+	case PRIV_DEBUG_SUGID:
+	case PRIV_DEBUG_UNPRIV:
+	/* case PRIV_FIRMWARE_LOAD: */
+	/* case PRIV_JAIL_ATTACH: */
+	/* case PRIV_KENV_SET: */
+	/* case PRIV_KENV_UNSET: */
+	/* case PRIV_KLD_LOAD: */
+	/* case PRIV_KLD_UNLOAD: */
+	/* case PRIV_MAC_PARTITION: */
+	case PRIV_PROC_LIMIT:
 	case PRIV_PROC_SETLOGIN:
-		/*
-		 * Inter-process privileges are generally granted, since a
-		 * separate jail name space check will be performed to scope
-		 * these calls to the current jail.
-		 */
-		return (0);
-
-	case PRIV_SCHED_SETPRIORITY:
 	case PRIV_PROC_SETRLIMIT:
-		/*
-		 * Root in jail can modify resource limits and scheduler
-		 * properties as it sees fit.
-		 */
-		return (0);
 
-	case PRIV_IPC_READ:
-	case PRIV_IPC_EXEC:
-	case PRIV_IPC_WRITE:
-	case PRIV_IPC_ADMIN:
-	case PRIV_IPC_MSGSIZE:
-		/*
-		 * Grant System V IPC privileges -- we enable access to the
-		 * services using a single setting, and assume that if System
-		 * V IPC is available in the jail, privilege will be granted
-		 * to root in the jail.
-		 */
-		return (0);
-
-	case PRIV_MQ_ADMIN:
-		/*
-		 * POSIX message queue administrative privilege is granted:
-		 * if the jail can name the resource, then root in the jail
-		 * can manage it.
-		 */
-		return (0);
-
+	/* XXXRW: Not yet. */
+	/* case PRIV_IPC_READ: */
+	/* case PRIV_IPC_WRITE: */
+	/* case PRIV_IPC_EXEC: */
+	/* case PRIV_IPC_ADMIN: */
+	/* case PRIV_IPC_MSGSIZE: */
+	/* case PRIV_MQ_ADMIN: */
+	/* case PRIV_PMC_MANAGE: */
+	/* case PRIV_PMC_SYSTEM: */
+	case PRIV_SCHED_DIFFCRED:
+	/* case PRIV_SCHED_SETPRIORITY: */
+	/* case PRIV_SCHED_RTPRIO: */
+	/* case PRIV_SCHED_SETPOLICY: */
+	/* case PRIV_SCHED_SET: */
+	/* case PRIV_SCHED_SETPARAM: */
+	/* case PRIV_SEM_WRITE: */
+	case PRIV_SIGNAL_DIFFCRED:
+	case PRIV_SIGNAL_SUGID:
+	/* case PRIV_SYSCTL_DEBUG: */
+	/* case PRIV_SYSCTL_WRITE: */
+	case PRIV_SYSCTL_WRITEJAIL:
+	/* case PRIV_TTY_CONSOLE: */
+	/* case PRIV_TTY_DRAINWAIT: */
+	/* case PRIV_TTY_DTRWAIT: */
+	/* case PRIV_TTY_EXCLUSIVE: */
+	/* case PRIV_TTY_PRISON: */
+	/* case PRIV_TTY_STI: */
+	/* case PRIV_TTY_SETA: */
+	/* case PRIV_UFS_EXTATTRCTL: */
+	case PRIV_UFS_GETQUOTA:
+	case PRIV_UFS_QUOTAOFF:		/* XXXRW: Slightly surprising. */
+	case PRIV_UFS_QUOTAON:		/* XXXRW: Slightly surprising. */
+	case PRIV_UFS_SETQUOTA:
+	case PRIV_UFS_SETUSE:		/* XXXRW: Slightly surprising. */
+	/* case PRIV_UFS_EXCEEDQUOTA: */
 	case PRIV_VFS_READ:
 	case PRIV_VFS_WRITE:
+	case PRIV_VFS_ADMIN:
 	case PRIV_VFS_EXEC:
-	case PRIV_VFS_ADMIN:
 	case PRIV_VFS_LOOKUP:
-		/*
-		 * In general, grant file permission exemption in VFS, but
-		 * not the right to manipulate the name space (mounting,
-		 * chroot, etc).
-		 */
+	case PRIV_VFS_BLOCKRESERVE:	/* XXXRW: Slightly surprising. */
+	case PRIV_VFS_CHFLAGS_DEV:
+	case PRIV_VFS_CHOWN:
+	case PRIV_VFS_CHROOT:
+	case PRIV_VFS_CLEARSUGID:
+	/* case PRIV_VFS_EXTATTR_SYSTEM: */
+	case PRIV_VFS_FCHROOT:
+	/* case PRIV_VFS_FHOPEN: */
+	/* case PRIV_VFS_FHSTAT: */
+	/* case PRIV_VFS_FHSTATFS: */
+	/* case PRIV_VFS_GENERATION: */
+	/* case PRIV_VFS_GETFH: */
+	case PRIV_VFS_LINK:
+	/* case PRIV_VFS_MKNOD_DEV: */
+	/* case PRIV_VFS_MOUNT: */
+	/* case PRIV_VFS_MOUNT_OWNER: */
+	/* case PRIV_VFS_MOUNT_EXPORTED: */
+	/* case PRIV_VFS_MOUNT_PERM: */
+	/* case PRIV_VFS_MOUNT_SUIDDIR: */
+	case PRIV_VFS_SETGID:
+	case PRIV_VFS_STICKYFILE:
 		return (0);
 
-	case PRIV_VFS_CHFLAGS_DEV:
-	case PRIV_VFS_REVOKE:
-		/*
-		 * Grant rights relating to managing visible device nodes and
-		 * ttys.
-		 */
+	case PRIV_VFS_SYSFLAGS:
+		if (jail_chflags_allowed)
+			return (0);
+		else
+			return (EPERM);
 
+	/* case PRIV_VFS_UNMOUNT: */
+	/* case PRIV_VM_MADV_PROTECT: */
+	/* case PRIV_VM_MLOCK: */
+	/* case PRIV_VM_MUNLOCK: */
+	/* case PRIV_DEVFS_RULE: */
+	/* case PRIV_DEVFS_SYMLINK: */
+	/* case PRIV_RANDOM_RESEED: */
+	/* case PRIV_NET_BRIDGE: */
+	/* case PRIV_NET_GRE: */
+	/* case PRIV_NET_PPP: */
+	/* case PRIV_NET_SLIP: */
+	/* case PRIV_NET_BPF: */
+	/* case PRIV_NET_RAW: */
+	/* case PRIV_NET_ROUTE: */
+	/* case PRIV_NET_TAP: */
+	/* case PRIV_NET_SETIFMTU: */
+	/* case PRIV_NET_SETIFFLAGS: */
+	/* case PRIV_NET_SETIFCAP: */
+	/* case PRIV_NET_SETIFNAME: */
+	/* case PRIV_NET_SETIFMETRIC: */
+	/* case PRIV_NET_SETIFPHYS: */
+	/* case PRIV_NET_SETIFMAC: */
+	/* case PRIV_NET_ADDMULTI: */
+	/* case PRIV_NET_DELMULTI: */
+	/* case PRIV_NET_HWIOCTL: */
+	/* case PRIV_NET_SETLLADDR: */
+	/* case PRIV_NET_ADDIFGROUP: */
+	/* case PRIV_NET_DELIFGROUP: */
+	/* case PRIV_NET_IFCREATE: */
+	/* case PRIV_NET_IFDESTROY: */
+	/* case PRIV_NET80211_GETKEY: */
+	/* case PRIV_NET80211_MANAGE: */
+	/* case PRIV_NETATALK_RESERVEDPORT: */
+	/* case PRIV_NETATM_CFG: */
+	/* case PRIV_NETATM_ADD: */
+	/* case PRIV_NETATM_DEL: */
+	/* case PRIV_NETATM_SET: */
+	/* case PRIV_NETGRAPH_CONTROL: */
+	/* case PRIV_NETGRAPH_TTY: */
+	case PRIV_NETINET_RESERVEDPORT:
 		return (0);
+	/* case PRIV_NETINET_IPFW: */
+	/* case PRIV_NETINET_DIVERT: */
+	/* case PRIV_NETINET_PF: */
+	/* case PRIV_NETINET_DUMMYNET: */
+	/* case PRIV_NETINET_CARP: */
+	/* case PRIV_NETINET_MROUTE: */
+	case PRIV_NETINET_RAW:
+		if (jail_allow_raw_sockets)
+			return (0);
+		else
+			return (EPERM);
+	case PRIV_NETINET_GETCRED:
+	/* case PRIV_NETINET_ADDRCTRL6: */
+	/* case PRIV_NETINET_ND6: */
+	/* case PRIV_NETINET_SCOPE6: */
+	/* case PRIV_NETINET_ALIFETIME6: */
+	/* case PRIV_NETINET_IPSEC: */
+	/* case PRIV_NETIPX_RESERVEDPORT: */
+	/* case PRIV_NETIPX_RAW: */
+	/* case PRIV_NETNCP: */
+	/* case PRIV_NETSMB: */
+	/* case PRIV_VM86_INTCALL: */
 
 	default:
 		/*

More information about the trustedbsd-cvs mailing list