git: d3bb35d4e51b - main - jail: allow adjustment of host time
Date: Fri, 28 Jun 2024 10:25:21 UTC
The branch main has been updated by oshogbo: URL: https://cgit.FreeBSD.org/src/commit/?id=d3bb35d4e51b06488b731071e7841f549bd5d26f commit d3bb35d4e51b06488b731071e7841f549bd5d26f Author: Mariusz Zaborski <oshogbo@FreeBSD.org> AuthorDate: 2024-06-28 10:23:31 +0000 Commit: Mariusz Zaborski <oshogbo@FreeBSD.org> CommitDate: 2024-06-28 10:23:31 +0000 jail: allow adjustment of host time Add a special permission to the jail to adjust and to set the host time. This can be useful if we want to compartmentalize the NTP daemon from the rest of the system. Reviewed by: olce, imp MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D45545 --- sys/kern/kern_jail.c | 28 ++++++++++++++++++++++++++++ sys/sys/jail.h | 4 +++- usr.sbin/jail/jail.8 | 17 +++++++++++++++++ 3 files changed, 48 insertions(+), 1 deletion(-) diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 90a043394792..38aea998d196 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -223,6 +223,8 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = { {"allow.nfsd", "allow.nonfsd", PR_ALLOW_NFSD}, #endif {"allow.extattr", "allow.noextattr", PR_ALLOW_EXTATTR}, + {"allow.adjtime", "allow.noadjtime", PR_ALLOW_ADJTIME}, + {"allow.settime", "allow.nosettime", PR_ALLOW_SETTIME}, }; static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC; const size_t pr_flag_allow_size = sizeof(pr_flag_allow); @@ -4167,6 +4169,28 @@ prison_priv_check(struct ucred *cred, int priv) return (0); return (EPERM); + /* + * Conditionally allow privileged process in the jail adjust + * machine time. + */ + case PRIV_ADJTIME: + case PRIV_NTP_ADJTIME: + if (cred->cr_prison->pr_allow & + (PR_ALLOW_ADJTIME | PR_ALLOW_SETTIME)) { + return (0); + } + return (EPERM); + + /* + * Conditionally allow privileged process in the jail set + * machine time. + */ + case PRIV_CLOCK_SETTIME: + if (cred->cr_prison->pr_allow & PR_ALLOW_SETTIME) + return (0); + else + return (EPERM); + default: /* * In all remaining cases, deny the privilege request. This @@ -4631,6 +4655,10 @@ SYSCTL_JAIL_PARAM(_allow, nfsd, CTLTYPE_INT | CTLFLAG_RW, #endif SYSCTL_JAIL_PARAM(_allow, extattr, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may set system-level filesystem extended attributes"); +SYSCTL_JAIL_PARAM(_allow, adjtime, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may adjust system time"); +SYSCTL_JAIL_PARAM(_allow, settime, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may set system time"); SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, diff --git a/sys/sys/jail.h b/sys/sys/jail.h index 6e7b6cc9ad6a..31928be73502 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -254,7 +254,9 @@ struct prison_racct { #define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */ #define PR_ALLOW_NFSD 0x00020000 #define PR_ALLOW_EXTATTR 0x00040000 -#define PR_ALLOW_ALL_STATIC 0x000787ff +#define PR_ALLOW_ADJTIME 0x00080000 +#define PR_ALLOW_SETTIME 0x00100000 +#define PR_ALLOW_ALL_STATIC 0x001f87ff /* * PR_ALLOW_DIFFERENCES determines which flags are able to be diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index ca7b3f95fdbc..2ecb711c971f 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -656,6 +656,18 @@ The super-user is enabled by default. .It Va allow.extattr Allow privileged process in the jail to manipulate filesystem extended attributes in the system namespace. +.It Va allow.adjtime +Allow privileged process in the jail to slowly adjusting global operating system +time. +For example through utilities like +.Xr ntpd 8 . +.It Va allow.settime +Allow privileged process in the jail to set global operating system data +and time. +For example through utilities like +.Xr date 1 . +This permission includes also +.Va allow.adjtime . .El .El .Pp @@ -1416,6 +1428,7 @@ appears relative to its creator's own This is by virtue of the child jail being created in the chrooted environment of the first jail. .Sh SEE ALSO +.Xr date 1 , .Xr killall 1 , .Xr lsvfs 1 , .Xr newaliases 1 , @@ -1423,6 +1436,9 @@ environment of the first jail. .Xr pkill 1 , .Xr ps 1 , .Xr quota 1 , +.Xr adjtime 2 , +.Xr clock_settime 2 , +.Xr ntp_adjtime 2 , .Xr jail_set 2 , .Xr devfs 4 , .Xr fdescfs 4 , @@ -1444,6 +1460,7 @@ environment of the first jail. .Xr mount 8 , .Xr mountd 8 , .Xr nfsd 8 , +.Xr ntpd 8 , .Xr reboot 8 , .Xr rpcbind 8 , .Xr sendmail 8 ,