diff options
Diffstat (limited to 'usr.sbin/jail')
| -rw-r--r-- | usr.sbin/jail/config.c | 2 | ||||
| -rw-r--r-- | usr.sbin/jail/jail.8 | 28 | ||||
| -rwxr-xr-x | usr.sbin/jail/tests/jail_basic_test.sh | 35 |
3 files changed, 55 insertions, 10 deletions
diff --git a/usr.sbin/jail/config.c b/usr.sbin/jail/config.c index 70de82e662e7..1bad04ccde68 100644 --- a/usr.sbin/jail/config.c +++ b/usr.sbin/jail/config.c @@ -189,7 +189,7 @@ load_config(const char *cfname) * jail is created or found. */ if (j->intparams[KP_NAME] == NULL) - add_param(j, j->intparams[KP_JID], KP_NAME, NULL); + add_param(j, NULL, KP_NAME, j->name); /* Resolve any variable substitutions. */ pgen = 0; diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 421aa9babb4c..9aed9b671b9e 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd August 7, 2025 +.Dd October 8, 2025 .Dt JAIL 8 .Os .Sh NAME @@ -702,15 +702,15 @@ The super-user will be disabled automatically if its parent system has it disabled. The super-user is enabled by default. .It Va allow.extattr -Allow privileged process in the jail to manipulate filesystem extended +Allow privileged processes in the jail to manipulate filesystem extended attributes in the system namespace. .It Va allow.adjtime -Allow privileged process in the jail to slowly adjusting global operating system -time. +Allow privileged processes in the jail to slowly adjusting global operating +system time. For example through utilities like .Xr ntpd 8 . .It Va allow.settime -Allow privileged process in the jail to set global operating system data +Allow privileged processes in the jail to set global operating system data and time. For example through utilities like .Xr date 1 . @@ -719,6 +719,17 @@ This permission includes also .It Va allow.routing Allow privileged process in the non-VNET jail to modify the system routing table. +.It Va allow.setaudit +Allow privileged processes in the jail to set +.Xr audit 4 +session state using +.Xr setaudit 2 +and related system calls. +This is useful, for example, for allowing a jailed +.Xr sshd 8 +to set the audit user ID for an authenticated session. +However, it gives jailed processes the ability to modify or disable audit +session state, so should be configured with care. .El .El .Pp @@ -998,7 +1009,7 @@ jail is removed. .It Va ip4.addr In addition to the IP addresses that are passed to the kernel, an interface, netmask and additional parameters (as supported by -.Xr ifconfig 8 Ns ) +.Xr ifconfig 8 ) may also be specified, in the form .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar netmask param ... . If an interface is given before the IP address, an alias for the address @@ -1012,11 +1023,12 @@ adding the IP alias. .It Va ip6.addr In addition to the IP addresses that are passed to the kernel, an interface, prefix and additional parameters (as supported by -.Xr ifconfig 8 Ns ) +.Xr ifconfig 8 ) may also be specified, in the form .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar prefix param ... . .It Va vnet.interface -A list of network interfaces to give to a vnet-enabled jail after is it created. +A comma separated list of network interfaces to give to a vnet-enabled jail +after is it created. The interfaces will automatically be released when the jail is removed. .It Va zfs.dataset A list of ZFS datasets to be attached to the jail. diff --git a/usr.sbin/jail/tests/jail_basic_test.sh b/usr.sbin/jail/tests/jail_basic_test.sh index 509900e8569c..c781eed78756 100755 --- a/usr.sbin/jail/tests/jail_basic_test.sh +++ b/usr.sbin/jail/tests/jail_basic_test.sh @@ -198,7 +198,7 @@ clean_jails() fi while read jail; do - if jls -e -j "$jail"; then + if jls -c -j "$jail"; then jail -r "$jail" fi done < jails.lst @@ -211,10 +211,23 @@ jid_name_set_body() echo "basejail" >> jails.lst echo "$jid { name = basejail; persist; }" > jail.conf atf_check -o match:"$jid: created" jail -f jail.conf -c "$jid" + # Confirm that we didn't override the explicitly-set name with the jid + # as the name. + atf_check -o match:"basejail" jls -j "$jid" name + atf_check -o match:"$jid: removed" jail -f jail.conf -r "$jid" + + echo "$jid { host.hostname = \"\${name}\"; persist; }" > jail.conf + atf_check -o match:"$jid: created" jail -f jail.conf -c "$jid" + # Confirm that ${name} expanded and expanded correctly to the + # jid-implied name. + atf_check -o match:"$jid" jls -j "$jid" host.hostname atf_check -o match:"$jid: removed" jail -f jail.conf -r "$jid" echo "basejail { jid = $jid; persist; }" > jail.conf atf_check -o match:"basejail: created" jail -f jail.conf -c basejail + # Confirm that our jid assigment in the definition worked out and we + # did in-fact create the jail there. + atf_check -o match:"$jid" jls -j "basejail" jid atf_check -o match:"basejail: removed" jail -f jail.conf -r basejail } @@ -293,6 +306,25 @@ param_consistency_cleanup() fi } +atf_test_case "setaudit" +setaudit_head() +{ + atf_set descr 'Test that setaudit works in a jail when configured with allow.setaudit' + atf_set require.user root + atf_set require.progs setaudit +} + +setaudit_body() +{ + # Try to modify the audit mask within a jail without + # allow.setaudit configured. + atf_check -s not-exit:0 -o empty -e not-empty jail -c name=setaudit_jail \ + command=setaudit -m fr ls / + # The command should succeed if allow.setaudit is configured. + atf_check -s exit:0 -o ignore -e empty jail -c name=setaudit_jail \ + allow.setaudit command=setaudit -m fr ls / +} + atf_init_test_cases() { atf_add_test_case "basic" @@ -301,4 +333,5 @@ atf_init_test_cases() atf_add_test_case "commands" atf_add_test_case "jid_name_set" atf_add_test_case "param_consistency" + atf_add_test_case "setaudit" } |