git: d3bb35d4e51b - main - jail: allow adjustment of host time

From: Mariusz Zaborski <oshogbo_at_FreeBSD.org>
Date: Fri, 28 Jun 2024 10:25:21 UTC
The branch main has been updated by oshogbo:

URL: https://cgit.FreeBSD.org/src/commit/?id=d3bb35d4e51b06488b731071e7841f549bd5d26f

commit d3bb35d4e51b06488b731071e7841f549bd5d26f
Author:     Mariusz Zaborski <oshogbo@FreeBSD.org>
AuthorDate: 2024-06-28 10:23:31 +0000
Commit:     Mariusz Zaborski <oshogbo@FreeBSD.org>
CommitDate: 2024-06-28 10:23:31 +0000

    jail: allow adjustment of host time
    
    Add a special permission to the jail to adjust and to set the host time.
    This can be useful if we want to compartmentalize the NTP daemon
    from the rest of the system.
    
    Reviewed by:    olce, imp
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D45545
---
 sys/kern/kern_jail.c | 28 ++++++++++++++++++++++++++++
 sys/sys/jail.h       |  4 +++-
 usr.sbin/jail/jail.8 | 17 +++++++++++++++++
 3 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 90a043394792..38aea998d196 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -223,6 +223,8 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = {
 	{"allow.nfsd", "allow.nonfsd", PR_ALLOW_NFSD},
 #endif
 	{"allow.extattr", "allow.noextattr", PR_ALLOW_EXTATTR},
+	{"allow.adjtime", "allow.noadjtime", PR_ALLOW_ADJTIME},
+	{"allow.settime", "allow.nosettime", PR_ALLOW_SETTIME},
 };
 static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC;
 const size_t pr_flag_allow_size = sizeof(pr_flag_allow);
@@ -4167,6 +4169,28 @@ prison_priv_check(struct ucred *cred, int priv)
 			return (0);
 		return (EPERM);
 
+		/*
+		 * Conditionally allow privileged process in the jail adjust
+		 * machine time.
+		 */
+	case PRIV_ADJTIME:
+	case PRIV_NTP_ADJTIME:
+		if (cred->cr_prison->pr_allow &
+		    (PR_ALLOW_ADJTIME | PR_ALLOW_SETTIME)) {
+			return (0);
+		}
+		return (EPERM);
+
+		/*
+		 * Conditionally allow privileged process in the jail set
+		 * machine time.
+		 */
+	case PRIV_CLOCK_SETTIME:
+		if (cred->cr_prison->pr_allow & PR_ALLOW_SETTIME)
+			return (0);
+		else
+			return (EPERM);
+
 	default:
 		/*
 		 * In all remaining cases, deny the privilege request.  This
@@ -4631,6 +4655,10 @@ SYSCTL_JAIL_PARAM(_allow, nfsd, CTLTYPE_INT | CTLFLAG_RW,
 #endif
 SYSCTL_JAIL_PARAM(_allow, extattr, CTLTYPE_INT | CTLFLAG_RW,
     "B", "Jail may set system-level filesystem extended attributes");
+SYSCTL_JAIL_PARAM(_allow, adjtime, CTLTYPE_INT | CTLFLAG_RW,
+    "B", "Jail may adjust system time");
+SYSCTL_JAIL_PARAM(_allow, settime, CTLTYPE_INT | CTLFLAG_RW,
+    "B", "Jail may set system time");
 
 SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
 SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
diff --git a/sys/sys/jail.h b/sys/sys/jail.h
index 6e7b6cc9ad6a..31928be73502 100644
--- a/sys/sys/jail.h
+++ b/sys/sys/jail.h
@@ -254,7 +254,9 @@ struct prison_racct {
 #define	PR_ALLOW_KMEM_ACCESS		0x00010000	/* reserved, not used yet */
 #define	PR_ALLOW_NFSD			0x00020000
 #define	PR_ALLOW_EXTATTR		0x00040000
-#define	PR_ALLOW_ALL_STATIC		0x000787ff
+#define	PR_ALLOW_ADJTIME		0x00080000
+#define	PR_ALLOW_SETTIME		0x00100000
+#define	PR_ALLOW_ALL_STATIC		0x001f87ff
 
 /*
  * PR_ALLOW_DIFFERENCES determines which flags are able to be
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index ca7b3f95fdbc..2ecb711c971f 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -656,6 +656,18 @@ The super-user is enabled by default.
 .It Va allow.extattr
 Allow privileged process in the jail to manipulate filesystem extended
 attributes in the system namespace.
+.It Va allow.adjtime
+Allow privileged process in the jail to slowly adjusting global operating system
+time.
+For example through utilities like
+.Xr ntpd 8 .
+.It Va allow.settime
+Allow privileged process in the jail to set global operating system data
+and time.
+For example through utilities like
+.Xr date 1 .
+This permission includes also
+.Va allow.adjtime .
 .El
 .El
 .Pp
@@ -1416,6 +1428,7 @@ appears relative to its creator's own
 This is by virtue of the child jail being created in the chrooted
 environment of the first jail.
 .Sh SEE ALSO
+.Xr date 1 ,
 .Xr killall 1 ,
 .Xr lsvfs 1 ,
 .Xr newaliases 1 ,
@@ -1423,6 +1436,9 @@ environment of the first jail.
 .Xr pkill 1 ,
 .Xr ps 1 ,
 .Xr quota 1 ,
+.Xr adjtime 2 ,
+.Xr clock_settime 2 ,
+.Xr ntp_adjtime 2 ,
 .Xr jail_set 2 ,
 .Xr devfs 4 ,
 .Xr fdescfs 4 ,
@@ -1444,6 +1460,7 @@ environment of the first jail.
 .Xr mount 8 ,
 .Xr mountd 8 ,
 .Xr nfsd 8 ,
+.Xr ntpd 8 ,
 .Xr reboot 8 ,
 .Xr rpcbind 8 ,
 .Xr sendmail 8 ,