git: 1c3ca0c733a4 - main - Revert "jail: Optionally allow audit session state to be configured in a jail"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 16 Sep 2025 13:45:10 UTC
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=1c3ca0c733a4e4ba550cedfa8019260fb0cf5707
commit 1c3ca0c733a4e4ba550cedfa8019260fb0cf5707
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-09-16 13:43:47 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-09-16 13:44:58 +0000
Revert "jail: Optionally allow audit session state to be configured in a jail"
Changing audit system calls to return EPERM instead of ENOSYS when
invoked from a jail breaks some userspace applications. Revert for now
until a more complete change is reviewed.
This reverts commit 246d7e9fc23928be22db38220f5439f5cdee5264.
PR: 289645
---
sys/kern/kern_jail.c | 13 +------------
sys/security/audit/audit_syscalls.c | 12 ++++++++++++
sys/sys/jail.h | 3 +--
usr.sbin/jail/jail.8 | 19 ++++---------------
usr.sbin/jail/tests/jail_basic_test.sh | 20 --------------------
5 files changed, 18 insertions(+), 49 deletions(-)
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 3697d95fe0e5..a75ba89d2a7e 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -243,9 +243,6 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = {
{"allow.unprivileged_parent_tampering",
"allow.nounprivileged_parent_tampering",
PR_ALLOW_UNPRIV_PARENT_TAMPER},
-#ifdef AUDIT
- {"allow.setaudit", "allow.nosetaudit", PR_ALLOW_SETAUDIT},
-#endif
};
static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC;
const size_t pr_flag_allow_size = sizeof(pr_flag_allow);
@@ -4292,6 +4289,7 @@ prison_priv_check(struct ucred *cred, int priv)
*/
case PRIV_KTRACE:
+#if 0
/*
* Allow jailed processes to configure audit identity and
* submit audit records (login, etc). In the future we may
@@ -4300,11 +4298,6 @@ prison_priv_check(struct ucred *cred, int priv)
*/
case PRIV_AUDIT_GETAUDIT:
case PRIV_AUDIT_SETAUDIT:
- if (cred->cr_prison->pr_allow & PR_ALLOW_SETAUDIT)
- return (0);
- else
- return (EPERM);
-#if 0
case PRIV_AUDIT_SUBMIT:
#endif
@@ -5041,10 +5034,6 @@ SYSCTL_JAIL_PARAM(_allow, settime, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may set system time");
SYSCTL_JAIL_PARAM(_allow, routing, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may modify routing table");
-#ifdef AUDIT
-SYSCTL_JAIL_PARAM(_allow, setaudit, CTLTYPE_INT | CTLFLAG_RW,
- "B", "Jail may set and get audit session state");
-#endif
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
diff --git a/sys/security/audit/audit_syscalls.c b/sys/security/audit/audit_syscalls.c
index 262f2c1ae1e3..40b2fb3d1c9f 100644
--- a/sys/security/audit/audit_syscalls.c
+++ b/sys/security/audit/audit_syscalls.c
@@ -592,6 +592,8 @@ sys_getauid(struct thread *td, struct getauid_args *uap)
{
int error;
+ if (jailed(td->td_ucred))
+ return (ENOSYS);
error = priv_check(td, PRIV_AUDIT_GETAUDIT);
if (error)
return (error);
@@ -607,6 +609,8 @@ sys_setauid(struct thread *td, struct setauid_args *uap)
au_id_t id;
int error;
+ if (jailed(td->td_ucred))
+ return (ENOSYS);
error = copyin(uap->auid, &id, sizeof(id));
if (error)
return (error);
@@ -646,6 +650,8 @@ sys_getaudit(struct thread *td, struct getaudit_args *uap)
int error;
cred = td->td_ucred;
+ if (jailed(cred))
+ return (ENOSYS);
error = priv_check(td, PRIV_AUDIT_GETAUDIT);
if (error)
return (error);
@@ -668,6 +674,8 @@ sys_setaudit(struct thread *td, struct setaudit_args *uap)
struct auditinfo ai;
int error;
+ if (jailed(td->td_ucred))
+ return (ENOSYS);
error = copyin(uap->auditinfo, &ai, sizeof(ai));
if (error)
return (error);
@@ -707,6 +715,8 @@ sys_getaudit_addr(struct thread *td, struct getaudit_addr_args *uap)
{
int error;
+ if (jailed(td->td_ucred))
+ return (ENOSYS);
if (uap->length < sizeof(*uap->auditinfo_addr))
return (EOVERFLOW);
error = priv_check(td, PRIV_AUDIT_GETAUDIT);
@@ -724,6 +734,8 @@ sys_setaudit_addr(struct thread *td, struct setaudit_addr_args *uap)
struct auditinfo_addr aia;
int error;
+ if (jailed(td->td_ucred))
+ return (ENOSYS);
error = copyin(uap->auditinfo_addr, &aia, sizeof(aia));
if (error)
return (error);
diff --git a/sys/sys/jail.h b/sys/sys/jail.h
index e6a13e6719dd..e12e8c3178c9 100644
--- a/sys/sys/jail.h
+++ b/sys/sys/jail.h
@@ -271,7 +271,6 @@ struct prison_racct {
#define PR_ALLOW_SETTIME 0x00100000
#define PR_ALLOW_ROUTING 0x00200000
#define PR_ALLOW_UNPRIV_PARENT_TAMPER 0x00400000
-#define PR_ALLOW_SETAUDIT 0x00800000
/*
* PR_ALLOW_PRISON0 are the allow flags that we apply by default to prison0,
@@ -279,7 +278,7 @@ struct prison_racct {
* build time. PR_ALLOW_ALL_STATIC should contain any bit above that we expect
* to be used on the system, while PR_ALLOW_PRISON0 will be some subset of that.
*/
-#define PR_ALLOW_ALL_STATIC 0x00ff87ff
+#define PR_ALLOW_ALL_STATIC 0x007f87ff
#define PR_ALLOW_PRISON0 \
(PR_ALLOW_ALL_STATIC & ~(PR_ALLOW_UNPRIV_PARENT_TAMPER))
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index d44b7f66a64e..421aa9babb4c 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd September 15, 2025
+.Dd August 7, 2025
.Dt JAIL 8
.Os
.Sh NAME
@@ -702,15 +702,15 @@ The super-user will be disabled automatically if its parent system has it
disabled.
The super-user is enabled by default.
.It Va allow.extattr
-Allow privileged processes in the jail to manipulate filesystem extended
+Allow privileged process in the jail to manipulate filesystem extended
attributes in the system namespace.
.It Va allow.adjtime
-Allow privileged processes in the jail to slowly adjusting global operating system
+Allow privileged process in the jail to slowly adjusting global operating system
time.
For example through utilities like
.Xr ntpd 8 .
.It Va allow.settime
-Allow privileged processes in the jail to set global operating system data
+Allow privileged process in the jail to set global operating system data
and time.
For example through utilities like
.Xr date 1 .
@@ -719,17 +719,6 @@ This permission includes also
.It Va allow.routing
Allow privileged process in the non-VNET jail to modify the system routing
table.
-.It Va allow.setaudit
-Allow privileged processes in the jail to set
-.Xr audit 4
-session state using
-.Xr setaudit 2
-and related system calls.
-This is useful, for example, for allowing a jailed
-.Xr sshd 8
-to set the audit user ID for an authenticated session.
-However, it gives jailed processes the ability to modify or disable audit
-session state, so should be configured with care.
.El
.El
.Pp
diff --git a/usr.sbin/jail/tests/jail_basic_test.sh b/usr.sbin/jail/tests/jail_basic_test.sh
index c781eed78756..6802da7b049a 100755
--- a/usr.sbin/jail/tests/jail_basic_test.sh
+++ b/usr.sbin/jail/tests/jail_basic_test.sh
@@ -306,25 +306,6 @@ param_consistency_cleanup()
fi
}
-atf_test_case "setaudit"
-setaudit_head()
-{
- atf_set descr 'Test that setaudit works in a jail when configured with allow.setaudit'
- atf_set require.user root
- atf_set require.progs setaudit
-}
-
-setaudit_body()
-{
- # Try to modify the audit mask within a jail without
- # allow.setaudit configured.
- atf_check -s not-exit:0 -o empty -e not-empty jail -c name=setaudit_jail \
- command=setaudit -m fr ls /
- # The command should succeed if allow.setaudit is configured.
- atf_check -s exit:0 -o ignore -e empty jail -c name=setaudit_jail \
- allow.setaudit command=setaudit -m fr ls /
-}
-
atf_init_test_cases()
{
atf_add_test_case "basic"
@@ -333,5 +314,4 @@ atf_init_test_cases()
atf_add_test_case "commands"
atf_add_test_case "jid_name_set"
atf_add_test_case "param_consistency"
- atf_add_test_case "setaudit"
}