RFC: Jail privsets

Bjoern A. Zeeb bz at FreeBSD.org
Fri Nov 27 12:15:33 UTC 2020

On 27 Nov 2020, at 5:04, Kyle Evans wrote:

> (Cross-posting to -arch and -jail for maximum reach)

and trustedbsd now as that is where priv(9) came from [ 
http://www.trustedbsd.org/privileges.html ]

> A couple of times recently, I've had a need or desire to increase or
> decrease privileges available to jails I create to some extent. You
> can write a MAC policy for this, but at some point the downsides of
> MAC policies for this became clear: it's either non-trivial to allow
> the kind of flexibility you may need in configuring some of these
> jails, and you have to rebuild the module otherwise.
> I've got a generally functional patch at [1] that is an approach I'd
> like to request comments on for refining jail privileges. It creates a
> privset that can be assigned on a per-jail basis, and a creator with
> PRIV_JAIL_SETPRIVS can specify any privset mask that's a subset of the
> parent prison.
> If no privset was specified at creation time, then we use the default
> logic that was previously in prison_priv_check(). prison_priv_check()
> has been replaced with a much simpler check of the prison's privset
> for the given privilege.
> As I was writing this, I identified the first problem with it: it
> doesn't currently respond to ALLOW_* updates and grant the appropriate
> privileges after initialization time -- this is a pretty easy fix, and
> I will do so if anyone else finds this useful.
> The other caveat is that I have no idea if there's a useful way to
> expose this to jail(8) users, but they're not really the primary
> target for this -- the primary target is system application developers
> that want more fine control over what a jail they're creating can do.
> This is an excellent foot-gun, but with great power comes great 
> responsibility.

While I like the idea I am not sure I like the way it is done.

I think it was a long-time goal of Robert (which just never happened to 
day) to make priv(9) configurable from user space.

I am just not sure if hanging it off jails is the right answer.
The jail-set is certainly the most extensive in the system, but the priv 
checks are everywhere and hanging them off, say a thread or credential, 
would allow people to do a lot more (also non-foot-shooting) than just 
modifying jails.

That said, jails pretty much tie into the entire td/cred concept already 
so we could happily use them as a jumping platform for experimenting 
before extending it to the entire system if we are clear that this might 
not be the final stable way of doing things?

Lots of health,

More information about the trustedbsd-discuss mailing list