PERFORCE change 106285 for review
Robert Watson
rwatson at FreeBSD.org
Mon Sep 18 02:18:49 PDT 2006
http://perforce.freebsd.org/chv.cgi?CH=106285
Change 106285 by rwatson at rwatson_peppercorn on 2006/09/18 09:16:49
Remove commented out privileges (in most cases) for jail, and
annotate which privileges are allowed and why in comments.
Affected files ...
.. //depot/projects/trustedbsd/priv/sys/kern/kern_jail.c#4 edit
Differences ...
==== //depot/projects/trustedbsd/priv/sys/kern/kern_jail.c#4 (text+ko) ====
@@ -535,32 +535,26 @@
return (0);
switch (priv) {
- /* case PRIV_ROOT: */
- /* case PRIV_ACCT: */
- /* case PRIV_MAXFILES: */
- /* case PRIV_MAXPROC: */
+
+ /*
+ * Allow ktrace privileges for root in jail.
+ */
case PRIV_KTRACE:
- /* case PRIV_SETDUMPER: */
- /* case PRIV_NFSD: */
- /* case PRIV_REBOOT: */
- /* case PRIV_SWAPON: */
- /* case PRIV_SWAPOFF: */
- /* case PRIV_MSGBUF: */
- /* case PRIV_WITNESS: */
- /* case PRIV_IO: */
- /* case PRIV_KEYBOARD: */
- /* case PRIV_DRIVER: */
- /* case PRIV_ADJTIME: */
- /* case PRIV_NTP_ADJTIME: */
- /* case PRIV_CLOCK_SETTIME: */
- /* case PRIV_SETTIMEOFDAY: */
- /* case PRIV_SETHOSTID: */
- /* case PRIV_SETDOMAINNAME: */
- /* case PRIV_AUDIT_CONTROL: */
- /* case PRIV_AUDIT_FAILSTOP: */
+
+ /*
+ * Allow jailed processes to configure audit identity and
+ * submit audit records (login, etc). In the future we may
+ * want to further refine the relationship between audit and
+ * jail.
+ */
case PRIV_AUDIT_GETAUDIT:
case PRIV_AUDIT_SETAUDIT:
case PRIV_AUDIT_SUBMIT:
+
+ /*
+ * Allow jailed processes to manipulate process UNIX
+ * credentials in any way they sees fit.
+ */
case PRIV_CRED_SETUID:
case PRIV_CRED_SETEUID:
case PRIV_CRED_SETGID:
@@ -570,57 +564,73 @@
case PRIV_CRED_SETREGID:
case PRIV_CRED_SETRESUID:
case PRIV_CRED_SETRESGID:
+
+ /*
+ * Jail implements visibility constraints already, so allow
+ * jailed root to override uid/gid-based constraints.
+ */
case PRIV_SEEOTHERGIDS:
case PRIV_SEEOTHERUIDS:
+
+ /*
+ * Jail implements inter-process debugging limits already, so
+ * allow jailed root various debugging privileges.
+ */
case PRIV_DEBUG_DIFFCRED:
case PRIV_DEBUG_SUGID:
case PRIV_DEBUG_UNPRIV:
- /* case PRIV_FIRMWARE_LOAD: */
- /* case PRIV_JAIL_ATTACH: */
- /* case PRIV_KENV_SET: */
- /* case PRIV_KENV_UNSET: */
- /* case PRIV_KLD_LOAD: */
- /* case PRIV_KLD_UNLOAD: */
- /* case PRIV_MAC_PARTITION: */
+
+ /*
+ * Allow jail to set various resource limits and login
+ * properties, and for now, exceed process resource limits.
+ */
case PRIV_PROC_LIMIT:
case PRIV_PROC_SETLOGIN:
case PRIV_PROC_SETRLIMIT:
- /* XXXRW: Not yet. */
+ /*
+ * The following privileges should be granted to jail once
+ * implemented.
+ */
/* case PRIV_IPC_READ: */
/* case PRIV_IPC_WRITE: */
/* case PRIV_IPC_EXEC: */
/* case PRIV_IPC_ADMIN: */
/* case PRIV_IPC_MSGSIZE: */
/* case PRIV_MQ_ADMIN: */
- /* case PRIV_PMC_MANAGE: */
- /* case PRIV_PMC_SYSTEM: */
+
+ /*
+ * Jail implements its own inter-process limits, so allow
+ * root processes in jail to change scheduling on other
+ * processes in the same jail. Likewise for signalling.
+ */
case PRIV_SCHED_DIFFCRED:
- /* case PRIV_SCHED_SETPRIORITY: */
- /* case PRIV_SCHED_RTPRIO: */
- /* case PRIV_SCHED_SETPOLICY: */
- /* case PRIV_SCHED_SET: */
- /* case PRIV_SCHED_SETPARAM: */
- /* case PRIV_SEM_WRITE: */
case PRIV_SIGNAL_DIFFCRED:
case PRIV_SIGNAL_SUGID:
- /* case PRIV_SYSCTL_DEBUG: */
- /* case PRIV_SYSCTL_WRITE: */
+
+ /*
+ * Allow jailed processes to write to sysctls marked as jail
+ * writable.
+ */
case PRIV_SYSCTL_WRITEJAIL:
- /* case PRIV_TTY_CONSOLE: */
- /* case PRIV_TTY_DRAINWAIT: */
- /* case PRIV_TTY_DTRWAIT: */
- /* case PRIV_TTY_EXCLUSIVE: */
- /* case PRIV_TTY_PRISON: */
- /* case PRIV_TTY_STI: */
- /* case PRIV_TTY_SETA: */
- /* case PRIV_UFS_EXTATTRCTL: */
+
+ /*
+ * Allow root in jail to manage a variety of quota
+ * properties. Some are a bit surprising and should be
+ * reconsidered.
+ */
case PRIV_UFS_GETQUOTA:
case PRIV_UFS_QUOTAOFF: /* XXXRW: Slightly surprising. */
case PRIV_UFS_QUOTAON: /* XXXRW: Slightly surprising. */
case PRIV_UFS_SETQUOTA:
case PRIV_UFS_SETUSE: /* XXXRW: Slightly surprising. */
- /* case PRIV_UFS_EXCEEDQUOTA: */
+
+ /*
+ * Since Jail relies on chroot() to implement file system
+ * protections, grant many VFS privileges to root in jail.
+ * Be careful to exclude mount-related and NFS-related
+ * privileges.
+ */
case PRIV_VFS_READ:
case PRIV_VFS_WRITE:
case PRIV_VFS_ADMIN:
@@ -631,97 +641,49 @@
case PRIV_VFS_CHOWN:
case PRIV_VFS_CHROOT:
case PRIV_VFS_CLEARSUGID:
- /* case PRIV_VFS_EXTATTR_SYSTEM: */
case PRIV_VFS_FCHROOT:
- /* case PRIV_VFS_FHOPEN: */
- /* case PRIV_VFS_FHSTAT: */
- /* case PRIV_VFS_FHSTATFS: */
- /* case PRIV_VFS_GENERATION: */
- /* case PRIV_VFS_GETFH: */
case PRIV_VFS_LINK:
- /* case PRIV_VFS_MKNOD_DEV: */
- /* case PRIV_VFS_MOUNT: */
- /* case PRIV_VFS_MOUNT_OWNER: */
- /* case PRIV_VFS_MOUNT_EXPORTED: */
- /* case PRIV_VFS_MOUNT_PERM: */
- /* case PRIV_VFS_MOUNT_SUIDDIR: */
case PRIV_VFS_SETGID:
case PRIV_VFS_STICKYFILE:
return (0);
+ /*
+ * Depending on the global setting, allow privilege of
+ * setting system flags.
+ */
case PRIV_VFS_SYSFLAGS:
if (jail_chflags_allowed)
return (0);
else
return (EPERM);
- /* case PRIV_VFS_UNMOUNT: */
- /* case PRIV_VM_MADV_PROTECT: */
- /* case PRIV_VM_MLOCK: */
- /* case PRIV_VM_MUNLOCK: */
- /* case PRIV_DEVFS_RULE: */
- /* case PRIV_DEVFS_SYMLINK: */
- /* case PRIV_RANDOM_RESEED: */
- /* case PRIV_NET_BRIDGE: */
- /* case PRIV_NET_GRE: */
- /* case PRIV_NET_PPP: */
- /* case PRIV_NET_SLIP: */
- /* case PRIV_NET_BPF: */
- /* case PRIV_NET_RAW: */
- /* case PRIV_NET_ROUTE: */
- /* case PRIV_NET_TAP: */
- /* case PRIV_NET_SETIFMTU: */
- /* case PRIV_NET_SETIFFLAGS: */
- /* case PRIV_NET_SETIFCAP: */
- /* case PRIV_NET_SETIFNAME: */
- /* case PRIV_NET_SETIFMETRIC: */
- /* case PRIV_NET_SETIFPHYS: */
- /* case PRIV_NET_SETIFMAC: */
- /* case PRIV_NET_ADDMULTI: */
- /* case PRIV_NET_DELMULTI: */
- /* case PRIV_NET_HWIOCTL: */
- /* case PRIV_NET_SETLLADDR: */
- /* case PRIV_NET_ADDIFGROUP: */
- /* case PRIV_NET_DELIFGROUP: */
- /* case PRIV_NET_IFCREATE: */
- /* case PRIV_NET_IFDESTROY: */
- /* case PRIV_NET80211_GETKEY: */
- /* case PRIV_NET80211_MANAGE: */
- /* case PRIV_NETATALK_RESERVEDPORT: */
- /* case PRIV_NETATM_CFG: */
- /* case PRIV_NETATM_ADD: */
- /* case PRIV_NETATM_DEL: */
- /* case PRIV_NETATM_SET: */
- /* case PRIV_NETGRAPH_CONTROL: */
- /* case PRIV_NETGRAPH_TTY: */
+ /*
+ * Allow jailed root to bind reserved ports.
+ */
case PRIV_NETINET_RESERVEDPORT:
return (0);
- /* case PRIV_NETINET_IPFW: */
- /* case PRIV_NETINET_DIVERT: */
- /* case PRIV_NETINET_PF: */
- /* case PRIV_NETINET_DUMMYNET: */
- /* case PRIV_NETINET_CARP: */
- /* case PRIV_NETINET_MROUTE: */
+
+ /*
+ * Conditionally allow creating raw sockets in jail.
+ */
case PRIV_NETINET_RAW:
if (jail_allow_raw_sockets)
return (0);
else
return (EPERM);
+
+ /*
+ * Since jail implements its own visibility limits on netstat
+ * sysctls, allow getcred. This allows identd to work in
+ * jail.
+ */
case PRIV_NETINET_GETCRED:
- /* case PRIV_NETINET_ADDRCTRL6: */
- /* case PRIV_NETINET_ND6: */
- /* case PRIV_NETINET_SCOPE6: */
- /* case PRIV_NETINET_ALIFETIME6: */
- /* case PRIV_NETINET_IPSEC: */
- /* case PRIV_NETIPX_RESERVEDPORT: */
- /* case PRIV_NETIPX_RAW: */
- /* case PRIV_NETNCP: */
- /* case PRIV_NETSMB: */
- /* case PRIV_VM86_INTCALL: */
default:
/*
- * In all remaining cases, deny the privilege request.
+ * In all remaining cases, deny the privilege request. This
+ * includes almost all network privileges, many system
+ * configuration privileges.
*/
return (EPERM);
}
More information about the trustedbsd-cvs
mailing list