diff options
| -rw-r--r-- | sys/kern/kern_jail.c | 5 | ||||
| -rw-r--r-- | sys/sys/jail.h | 1 | ||||
| -rw-r--r-- | sys/ufs/ufs/ufs_vnops.c | 13 | ||||
| -rw-r--r-- | usr.sbin/jail/jail.8 | 9 |
4 files changed, 24 insertions, 4 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 7a8442e..28120fd 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -67,6 +67,11 @@ SYSCTL_INT(_security_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW, &jail_allow_raw_sockets, 0, "Prison root can create raw sockets"); +int jail_chflags_allowed = 0; +SYSCTL_INT(_security_jail, OID_AUTO, chflags_allowed, CTLFLAG_RW, + &jail_chflags_allowed, 0, + "Processes in jail can alter system file flags"); + /* allprison, lastprid, and prisoncount are protected by allprison_mtx. */ struct prisonlist allprison; struct mtx allprison_mtx; diff --git a/sys/sys/jail.h b/sys/sys/jail.h index ee9b40f..b403b14 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -83,6 +83,7 @@ extern int jail_socket_unixiproute_only; extern int jail_sysvipc_allowed; extern int jail_getfsstat_jailrootonly; extern int jail_allow_raw_sockets; +extern int jail_chflags_allowed; LIST_HEAD(prisonlist, prison); extern struct prisonlist allprison; diff --git a/sys/ufs/ufs/ufs_vnops.c b/sys/ufs/ufs/ufs_vnops.c index baaffb5..37a3a41 100644 --- a/sys/ufs/ufs/ufs_vnops.c +++ b/sys/ufs/ufs/ufs_vnops.c @@ -61,6 +61,7 @@ __FBSDID("$FreeBSD$"); #include <sys/conf.h> #include <sys/acl.h> #include <sys/mac.h> +#include <sys/jail.h> #include <machine/mutex.h> @@ -472,13 +473,17 @@ ufs_setattr(ap) if ((error = VOP_ACCESS(vp, VADMIN, cred, td))) return (error); /* - * Unprivileged processes and privileged processes in - * jail() are not permitted to unset system flags, or - * modify flags if any system flags are set. + * Unprivileged processes are not permitted to unset system + * flags, or modify flags if any system flags are set. * Privileged non-jail processes may not modify system flags * if securelevel > 0 and any existing system flags are set. + * Privileged jail processes behave like privileged non-jail + * processes if the security.jail.chflags_allowed sysctl is + * is non-zero; otherwise, they behave like unprivileged + * processes. */ - if (!suser_cred(cred, 0)) { + if (!suser_cred(cred, + jail_chflags_allowed ? SUSER_ALLOWJAIL : 0)) { if (ip->i_flags & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) { error = securelevel_gt(cred, 0); diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 1a75f31..f7c5198 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -497,6 +497,15 @@ within a jail would be able to communicate with (and potentially interfere with) processes outside of the jail, and in other jails. As such, this functionality is disabled by default, but can be enabled by setting this MIB entry to 1. +.It Va security.jail.chflags_allowed +This MIB entry determines how a privileged user inside a jail will be +treated by +.Xr chflags 2 . +If zero, such users are treated as unprivileged, and are unable to set +or clear system file flags; if non-zero, such users are treated as +privileged, and may manipulate system file flags subject to the usual +constaints on +.Va kern.securelevel . .El .Pp There are currently two MIB related variables that have per-jail settings. |
