jail: Add the ability to access system-level filesystem extended attributes

Prior to this commit privileged accounts in a jail could not access to the
filesystem extended attributes in the system namespace. To control access to
the system namespace in a per-jail basis add a new configuration parameter
allow.extattr which is off by default.

Reported by:		zirias
Tested by:		zirias
Obtained from:		HardenedBSD
Reviewed by:		kevans, jamie
Differential revision:	https://reviews.freebsd.org/D41643
MFC after:		1 week
Relnotes:		yes

3 files changed, 22 insertions, 3 deletions

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 39bdcaf5ef0e..0c1f565638da 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -220,6 +220,7 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = {
 #ifdef VIMAGE
 	{"allow.nfsd", "allow.nonfsd", PR_ALLOW_NFSD},
 #endif
+	{"allow.extattr", "allow.noextattr", PR_ALLOW_EXTATTR},
 };
 static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC;
 const size_t pr_flag_allow_size = sizeof(pr_flag_allow);
@@ -4060,6 +4061,17 @@ prison_priv_check(struct ucred *cred, int priv)
 		return (0);
 
 		/*
+		 * Conditionally allow privileged process in the jail to
+		 * manipulate filesystem extended attributes in the system
+		 * namespace.
+		 */
+	case PRIV_VFS_EXTATTR_SYSTEM:
+		if ((cred->cr_prison->pr_allow & PR_ALLOW_EXTATTR) != 0)
+			return (0);
+		else
+			return (EPERM);
+
+		/*
 		 * Conditionnaly allow locking (unlocking) physical pages
 		 * in memory.
 		 */
@@ -4552,6 +4564,8 @@ SYSCTL_JAIL_PARAM(_allow, suser, CTLTYPE_INT | CTLFLAG_RW,
 SYSCTL_JAIL_PARAM(_allow, nfsd, CTLTYPE_INT | CTLFLAG_RW,
     "B", "Mountd/nfsd may run in the jail");
 #endif
+SYSCTL_JAIL_PARAM(_allow, extattr, CTLTYPE_INT | CTLFLAG_RW,
+    "B", "Jail may set system-level filesystem extended attributes");
 
 SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
 SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
diff --git a/sys/sys/jail.h b/sys/sys/jail.h
index 088a0bc33d6d..fb8858f73453 100644
--- a/sys/sys/jail.h
+++ b/sys/sys/jail.h
@@ -253,7 +253,8 @@ struct prison_racct {
 #define	PR_ALLOW_RESERVED_PORTS		0x00008000
 #define	PR_ALLOW_KMEM_ACCESS		0x00010000	/* reserved, not used yet */
 #define	PR_ALLOW_NFSD			0x00020000
-#define	PR_ALLOW_ALL_STATIC		0x000387ff
+#define	PR_ALLOW_EXTATTR		0x00040000
+#define	PR_ALLOW_ALL_STATIC		0x000787ff
 
 /*
  * PR_ALLOW_DIFFERENCES determines which flags are able to be
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index 0e98914795a2..f6fd04d52162 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd August 26, 2023
+.Dd September 1, 2023
 .Dt JAIL 8
 .Os
 .Sh NAME
@@ -642,6 +642,9 @@ sysctl.
 The super-user will be disabled automatically if its parent system has it
 disabled.
 The super-user is enabled by default.
+.It Va allow.extattr
+Allow privileged process in the jail to manipulate filesystem extended
+attributes in the system namespace.
 .El
 .El
 .Pp
@@ -1414,7 +1417,8 @@ environment of the first jail.
 .Xr shutdown 8 ,
 .Xr sysctl 8 ,
 .Xr syslogd 8 ,
-.Xr umount 8
+.Xr umount 8 ,
+.Xr extattr 9
 .Sh HISTORY
 The
 .Nm