diff options
author | Shawn Webb <shawn.webb@hardenedbsd.org> | 2023-09-01 08:11:33 +0000 |
---|---|---|
committer | Dmitry Chagin <dchagin@FreeBSD.org> | 2023-09-01 08:11:33 +0000 |
commit | cb48780db4d6d276d0abd2f84d41185fce17ff83 (patch) | |
tree | 4af7b4dabc8564fde3a9c6bcbc13fe11e78f7c0a | |
parent | 1bfc4574f78653e4b64ac9dd31518c96a17fe52b (diff) | |
download | src-cb48780db4d6d276d0abd2f84d41185fce17ff83.tar.gz src-cb48780db4d6d276d0abd2f84d41185fce17ff83.zip |
jail: Add the ability to access system-level filesystem extended attributes
Prior to this commit privileged accounts in a jail could not access to the
filesystem extended attributes in the system namespace. To control access to
the system namespace in a per-jail basis add a new configuration parameter
allow.extattr which is off by default.
Reported by: zirias
Tested by: zirias
Obtained from: HardenedBSD
Reviewed by: kevans, jamie
Differential revision: https://reviews.freebsd.org/D41643
MFC after: 1 week
Relnotes: yes
-rw-r--r-- | sys/kern/kern_jail.c | 14 | ||||
-rw-r--r-- | sys/sys/jail.h | 3 | ||||
-rw-r--r-- | usr.sbin/jail/jail.8 | 8 |
3 files changed, 22 insertions, 3 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 39bdcaf5ef0e..0c1f565638da 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -220,6 +220,7 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = { #ifdef VIMAGE {"allow.nfsd", "allow.nonfsd", PR_ALLOW_NFSD}, #endif + {"allow.extattr", "allow.noextattr", PR_ALLOW_EXTATTR}, }; static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC; const size_t pr_flag_allow_size = sizeof(pr_flag_allow); @@ -4060,6 +4061,17 @@ prison_priv_check(struct ucred *cred, int priv) return (0); /* + * Conditionally allow privileged process in the jail to + * manipulate filesystem extended attributes in the system + * namespace. + */ + case PRIV_VFS_EXTATTR_SYSTEM: + if ((cred->cr_prison->pr_allow & PR_ALLOW_EXTATTR) != 0) + return (0); + else + return (EPERM); + + /* * Conditionnaly allow locking (unlocking) physical pages * in memory. */ @@ -4552,6 +4564,8 @@ SYSCTL_JAIL_PARAM(_allow, suser, CTLTYPE_INT | CTLFLAG_RW, SYSCTL_JAIL_PARAM(_allow, nfsd, CTLTYPE_INT | CTLFLAG_RW, "B", "Mountd/nfsd may run in the jail"); #endif +SYSCTL_JAIL_PARAM(_allow, extattr, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may set system-level filesystem extended attributes"); SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, diff --git a/sys/sys/jail.h b/sys/sys/jail.h index 088a0bc33d6d..fb8858f73453 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -253,7 +253,8 @@ struct prison_racct { #define PR_ALLOW_RESERVED_PORTS 0x00008000 #define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */ #define PR_ALLOW_NFSD 0x00020000 -#define PR_ALLOW_ALL_STATIC 0x000387ff +#define PR_ALLOW_EXTATTR 0x00040000 +#define PR_ALLOW_ALL_STATIC 0x000787ff /* * PR_ALLOW_DIFFERENCES determines which flags are able to be diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 0e98914795a2..f6fd04d52162 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd August 26, 2023 +.Dd September 1, 2023 .Dt JAIL 8 .Os .Sh NAME @@ -642,6 +642,9 @@ sysctl. The super-user will be disabled automatically if its parent system has it disabled. The super-user is enabled by default. +.It Va allow.extattr +Allow privileged process in the jail to manipulate filesystem extended +attributes in the system namespace. .El .El .Pp @@ -1414,7 +1417,8 @@ environment of the first jail. .Xr shutdown 8 , .Xr sysctl 8 , .Xr syslogd 8 , -.Xr umount 8 +.Xr umount 8 , +.Xr extattr 9 .Sh HISTORY The .Nm |