| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
provoke errors trying to query options not available.
Make it possible to compile out INET or INET6 only parts.
Reviewed by: jamie
Sponsored by: The FreeBSD Foundation
Sponsored by: iXsystems
MFC after: 10 days
|
|
|
|
|
| |
Various people voiced their concerns about these changes.
Until this is resolved, we should use the old version.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
an attacker with root access to the jail can create a setuid binary for
their own use in the host environment (if they also have this access),
thus breaking root in the host.
This exploit is impossible if the jail's files are not world-readable.
Add instructions to the man page on how to create a jail with the
correct permissions set.
PR: docs/156853
Submitted by: Chris Rees (utisoft at gmail dot com)
Reviewed by: cperciva (security parts)
MFC after: 9 days
|
|
|
|
| |
They have no effect when coming in pairs, or before .Bl/.Bd
|
|
|
|
| |
r210974.
|
|
|
|
|
|
| |
instead of explicitly requiring one of "command" or "persist".
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the jail(8) command. [10:04]
Fix a one-NUL-byte buffer overflow in libopie. [10:05]
Correctly sanity-check a buffer length in nfs mount. [10:06]
Approved by: so (cperciva)
Approved by: re (kensmith)
Security: FreeBSD-SA-10:04.jail
Security: FreeBSD-SA-10:05.opie
Security: FreeBSD-SA-10:06.nfsclient
|
|
|
|
| |
Reviewed by: ru
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
whether to use source address selection (default) or the primary
jail address for unbound outgoing connections.
This is intended to be used by people upgrading from single-IP
jails to multi-IP jails but not having to change firewall rules,
application ACLs, ... but to force their connections (unless
otherwise changed) to the primry jail IP they had been used for
years, as well as for people prefering to implement similar policies.
Note that for IPv6, if configured incorrectly, this might lead to
scope violations, which single-IPv6 jails could as well, as by the
design of jails. [1]
Reviewed by: jamie, hrs (ipv6 part)
Pointed out by: hrs [1]
MFC After: 2 weeks
Asked for by: Jase Thew (bazerka beardz.net)
|
| |
|
|
|
|
| |
Reviewed by: jamie
|
|
|
|
| |
Reported by: bz
|
|
|
|
|
| |
Submitted by: Jille Timmermans <jille quis cx>
MFC after: 1 week
|
|
|
|
|
|
|
|
| |
parameter unless a (numeric) IPv6 address is given. Even the default
binaries built with -DINET6 will work with IPv6-less kernels. With an
eye to the future, similarly handle the possibility of an IPv4-less kernel.
Approved by: re (kib), bz (mentor)
|
|
|
|
|
|
|
|
|
| |
restrictions) were found to be inadequately described by a boolean.
Define a new parameter type with three values (disable, new, inherit)
to handle these and future cases.
Approved by: re (kib), bz (mentor)
Discussed with: rwatson
|
|
|
|
| |
Approved by: re (kib), bz (mentor)
|
|
|
|
|
|
| |
system calls and the security.jail.param sysctls.
Approved by: bz (mentor)
|
|
|
|
|
|
| |
parameters. This replaces the simple "allow.jails" permission.
Approved by: bz (mentor)
|
|
|
|
|
|
| |
no longer parsed.
Approved by: bz (mentor)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
system callers of getgroups(), getgrouplist(), and setgroups() to
allocate buffers dynamically. Specifically, allocate a buffer of size
sysconf(_SC_NGROUPS_MAX)+1 (+2 in a few cases to allow for overflow).
This (or similar gymnastics) is required for the code to actually follow
the POSIX.1-2008 specification where {NGROUPS_MAX} may differ at runtime
and where getgroups may return {NGROUPS_MAX}+1 results on systems like
FreeBSD which include the primary group.
In id(1), don't pointlessly add the primary group to the list of all
groups, it is always the first result from getgroups(). In principle
the old code was more portable, but this was only done in one of the two
places where getgroups() was called to the overall effect was pointless.
Document the actual POSIX requirements in the getgroups(2) and
setgroups(2) manpages. We do not yet support a dynamic NGROUPS, but we
may in the future.
MFC after: 2 weeks
|
|
|
|
|
|
| |
security.jail.* sysctls since jail_set(2) doesn't do it implicitly.
Approved by: bz (mentor)
|
|
|
|
| |
Submitted by: richardtoohey at paradise dot net dot nz on -doc
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The system hostname is now stored in prison0, and the global variable
"hostname" has been removed, as has the hostname_mtx mutex. Jails may
have their own host information, or they may inherit it from the
parent/system. The proper way to read the hostname is via
getcredhostname(), which will copy either the hostname associated with
the passed cred, or the system hostname if you pass NULL. The system
hostname can still be accessed directly (and without locking) at
prison0.pr_host, but that should be avoided where possible.
The "similar information" referred to is domainname, hostid, and
hostuuid, which have also become prison parameters and had their
associated global variables removed.
Approved by: bz (mentor)
|
|
|
|
| |
Approved by: bz (mentor)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and jail_get(2). Jail(8) can now create jails using a "name=value"
format instead of just specifying a limited set of fixed parameters; it
can also modify parameters of existing jails. Jls(8) can display all
parameters of jails, or a specified set of parameters. The available
parameters are gathered from the kernel, and not hard-coded into these
programs.
Small patches on killall(1) and jexec(8) to support jail names with
jail_get(2).
Approved by: bz (mentor)
|
|
|
|
|
|
|
| |
to a 2 clause BSD license.
Approved by: phk
Approved by: bz (mentor)
|
|
|
|
| |
MFC after: 2 week
|
|
|
|
|
|
| |
per address family and add a reference to the ip-addresses option.
MFC after: 1 week
|
|
|
|
|
| |
Submitted by: pluknet@gmail.com
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
| |
mountand jail-aware file systems as well as quota.
PR: kern/68192
Reviewed by: simon
MFC after: 2 weeks
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bring in updated jail support from bz_jail branch.
This enhances the current jail implementation to permit multiple
addresses per jail. In addtion to IPv4, IPv6 is supported as well.
Due to updated checks it is even possible to have jails without
an IP address at all, which basically gives one a chroot with
restricted process view, no networking,..
SCTP support was updated and supports IPv6 in jails as well.
Cpuset support permits jails to be bound to specific processor
sets after creation.
Jails can have an unrestricted (no duplicate protection, etc.) name
in addition to the hostname. The jail name cannot be changed from
within a jail and is considered to be used for management purposes
or as audit-token in the future.
DDB 'show jails' command was added to aid debugging.
Proper compat support permits 32bit jail binaries to be used on 64bit
systems to manage jails. Also backward compatibility was preserved where
possible: for jail v1 syscalls, as well as with user space management
utilities.
Both jail as well as prison version were updated for the new features.
A gap was intentionally left as the intermediate versions had been
used by various patches floating around the last years.
Bump __FreeBSD_version for the afore mentioned and in kernel changes.
Special thanks to:
- Pawel Jakub Dawidek (pjd) for his multi-IPv4 patches
and Olivier Houchard (cognet) for initial single-IPv6 patches.
- Jeff Roberson (jeff) and Randall Stewart (rrs) for their
help, ideas and review on cpuset and SCTP support.
- Robert Watson (rwatson) for lots and lots of help, discussions,
suggestions and review of most of the patch at various stages.
- John Baldwin (jhb) for his help.
- Simon L. Nielsen (simon) as early adopter testing changes
on cluster machines as well as all the testers and people
who provided feedback the last months on freebsd-jail and
other channels.
- My employer, CK Software GmbH, for the support so I could work on this.
Reviewed by: (see above)
MFC after: 3 months (this is just so that I get the mail)
X-MFC Before: 7.2-RELEASE if possible
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
unmount jail-friendly file systems from within a jail.
Precisely it grants PRIV_VFS_MOUNT, PRIV_VFS_UNMOUNT and
PRIV_VFS_MOUNT_NONUSER privileges for a jailed super-user.
It is turned off by default.
A jail-friendly file system is a file system which driver registers
itself with VFCF_JAIL flag via VFS_SET(9) API.
The lsvfs(1) command can be used to see which file systems are
jail-friendly ones.
There currently no jail-friendly file systems, ZFS will be the first one.
In the future we may consider marking file systems like nullfs as
jail-friendly.
Reviewed by: rwatson
|
|
|
|
| |
Reminded by: ru
|
| |
|
|
|
|
|
|
| |
example code) [RFC3330].
Reviewed by: simon
|
|
|
|
|
|
|
| |
jail is a very bad idea security wise.
Approved by: trhodes (jcamou mentor)
No response: jcamou
|
|
|
|
| |
MFC after: 3
|
|
|
|
|
| |
Reviewed by: maxim
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
| |
with non-root privileges.
PR: bin/80242
MFC after: 2 weeks
|
|
|
|
| |
Suggested by: keramida
|
|
|
|
|
| |
PR: docs/96807
MFC after: 3
|
|
|
|
|
|
| |
PR: docs/94711
Submitted by: Andreas Kohn
MFC after: 2 weeks
|
|
|
|
|
|
| |
PR: bin/94730
Submitted by: Frank Behrens
MFC after: 1 month
|
|
|
|
|
|
|
| |
PR: docs/86044
Noticed by: Dan Langille <dan@langille.org>
Reviewed by: Jose Biskofski <jbiskofski@grmims.com>
Approved by: trhodes (mentor)
|