- Attempt to help declutter kern. sysctl by moving security out from
beneath it. Reviewed by: rwatson
This commit is contained in:
Andrew R. Reiter
parent
8af31e7b46
commit
d0615c64a5
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=89414
@ -136,7 +136,7 @@ For a detailed description of these variable see
|
|||||||
.Pp
|
.Pp
|
||||||
The changeable column indicates whether a process with appropriate
|
The changeable column indicates whether a process with appropriate
|
||||||
privilege can change the value.
|
privilege can change the value.
|
||||||
.Bl -column kern.security.bsd.unprivileged_read_msgbuf integerxxx
|
.Bl -column security.bsd.unprivileged_read_msgbuf integerxxx
|
||||||
.It Sy "Name Type Changeable
|
.It Sy "Name Type Changeable
|
||||||
.It "kern.ostype string no
|
.It "kern.ostype string no
|
||||||
.It "kern.osrelease string no
|
.It "kern.osrelease string no
|
||||||
@ -165,10 +165,10 @@ privilege can change the value.
|
|||||||
.It "kern.bootfile string yes
|
.It "kern.bootfile string yes
|
||||||
.It "kern.corefile string yes
|
.It "kern.corefile string yes
|
||||||
.It "kern.logsigexit integer yes
|
.It "kern.logsigexit integer yes
|
||||||
.It "kern.security.bsd.suser_enabled integer yes
|
.It "security.bsd.suser_enabled integer yes
|
||||||
.It "kern.security.bsd.see_other_uids integer yes
|
.It "security.bsd.see_other_uids integer yes
|
||||||
.It "kern.security.bsd.unprivileged_proc_debug integer yes
|
.It "security.bsd.unprivileged_proc_debug integer yes
|
||||||
.It "kern.security.bsd.unprivileged_read_msgbuf integer yes
|
.It "security.bsd.unprivileged_read_msgbuf integer yes
|
||||||
.It "vm.loadavg struct no
|
.It "vm.loadavg struct no
|
||||||
.It "hw.machine string no
|
.It "hw.machine string no
|
||||||
.It "hw.model string no
|
.It "hw.model string no
|
||||||
|
|||||||
@ -193,7 +193,7 @@ jails to set the hostname of the jail, which makes the status file less
|
|||||||
useful from a management perspective if the contents of the jail are
|
useful from a management perspective if the contents of the jail are
|
||||||
malicious.
|
malicious.
|
||||||
To prevent a jail from changing its hostname, the
|
To prevent a jail from changing its hostname, the
|
||||||
"kern.security.jail.set_hostname_allowed" sysctl may be set to 0 prior to
|
"security.jail.set_hostname_allowed" sysctl may be set to 0 prior to
|
||||||
starting any jails.
|
starting any jails.
|
||||||
.PP
|
.PP
|
||||||
One aspect immediately observable in an environment with multiple jails
|
One aspect immediately observable in an environment with multiple jails
|
||||||
|
|||||||
@ -61,9 +61,9 @@
|
|||||||
|
|
||||||
static int capabilities_enabled = 0;
|
static int capabilities_enabled = 0;
|
||||||
|
|
||||||
SYSCTL_NODE(_kern_security, OID_AUTO, capabilities, CTLFLAG_RW, 0,
|
SYSCTL_NODE(_security, OID_AUTO, capabilities, CTLFLAG_RW, 0,
|
||||||
"POSIX.1e Capabilities");
|
"POSIX.1e Capabilities");
|
||||||
SYSCTL_INT(_kern_security_capabilities, OID_AUTO, enabled, CTLFLAG_RW,
|
SYSCTL_INT(_security_capabilities, OID_AUTO, enabled, CTLFLAG_RW,
|
||||||
&capabilities_enabled, 0, "POSIX.1e Capabilities enabled");
|
&capabilities_enabled, 0, "POSIX.1e Capabilities enabled");
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|||||||
@ -28,24 +28,24 @@
|
|||||||
|
|
||||||
MALLOC_DEFINE(M_PRISON, "prison", "Prison structures");
|
MALLOC_DEFINE(M_PRISON, "prison", "Prison structures");
|
||||||
|
|
||||||
SYSCTL_DECL(_kern_security);
|
SYSCTL_DECL(_security);
|
||||||
SYSCTL_NODE(_kern_security, OID_AUTO, jail, CTLFLAG_RW, 0,
|
SYSCTL_NODE(_security, OID_AUTO, jail, CTLFLAG_RW, 0,
|
||||||
"Jail rules");
|
"Jail rules");
|
||||||
|
|
||||||
mp_fixme("these variables need a lock")
|
mp_fixme("these variables need a lock")
|
||||||
|
|
||||||
int jail_set_hostname_allowed = 1;
|
int jail_set_hostname_allowed = 1;
|
||||||
SYSCTL_INT(_kern_security_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW,
|
SYSCTL_INT(_security_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW,
|
||||||
&jail_set_hostname_allowed, 0,
|
&jail_set_hostname_allowed, 0,
|
||||||
"Processes in jail can set their hostnames");
|
"Processes in jail can set their hostnames");
|
||||||
|
|
||||||
int jail_socket_unixiproute_only = 1;
|
int jail_socket_unixiproute_only = 1;
|
||||||
SYSCTL_INT(_kern_security_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW,
|
SYSCTL_INT(_security_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW,
|
||||||
&jail_socket_unixiproute_only, 0,
|
&jail_socket_unixiproute_only, 0,
|
||||||
"Processes in jail are limited to creating UNIX/IPv4/route sockets only");
|
"Processes in jail are limited to creating UNIX/IPv4/route sockets only");
|
||||||
|
|
||||||
int jail_sysvipc_allowed = 0;
|
int jail_sysvipc_allowed = 0;
|
||||||
SYSCTL_INT(_kern_security_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW,
|
SYSCTL_INT(_security_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW,
|
||||||
&jail_sysvipc_allowed, 0,
|
&jail_sysvipc_allowed, 0,
|
||||||
"Processes in jail can use System V IPC primitives");
|
"Processes in jail can use System V IPC primitives");
|
||||||
|
|
||||||
|
|||||||
@ -77,6 +77,8 @@ SYSCTL_NODE(, CTL_P1003_1B, p1003_1b, CTLFLAG_RW, 0,
|
|||||||
|
|
||||||
SYSCTL_NODE(, OID_AUTO, compat, CTLFLAG_RW, 0,
|
SYSCTL_NODE(, OID_AUTO, compat, CTLFLAG_RW, 0,
|
||||||
"Compatibility code");
|
"Compatibility code");
|
||||||
|
SYSCTL_NODE(, OID_AUTO, security, CTLFLAG_RW, 0,
|
||||||
|
"Security");
|
||||||
#ifdef REGRESSION
|
#ifdef REGRESSION
|
||||||
SYSCTL_NODE(, OID_AUTO, regression, CTLFLAG_RW, 0,
|
SYSCTL_NODE(, OID_AUTO, regression, CTLFLAG_RW, 0,
|
||||||
"Regression test MIB");
|
"Regression test MIB");
|
||||||
|
|||||||
@ -63,9 +63,8 @@
|
|||||||
|
|
||||||
static MALLOC_DEFINE(M_CRED, "cred", "credentials");
|
static MALLOC_DEFINE(M_CRED, "cred", "credentials");
|
||||||
|
|
||||||
SYSCTL_NODE(_kern, OID_AUTO, security, CTLFLAG_RW, 0,
|
SYSCTL_DECL(_security);
|
||||||
"Kernel security policy");
|
SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0,
|
||||||
SYSCTL_NODE(_kern_security, OID_AUTO, bsd, CTLFLAG_RW, 0,
|
|
||||||
"BSD security policy");
|
"BSD security policy");
|
||||||
|
|
||||||
#ifndef _SYS_SYSPROTO_H_
|
#ifndef _SYS_SYSPROTO_H_
|
||||||
@ -1190,7 +1189,7 @@ groupmember(gid, cred)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* `suser_enabled' (which can be set by the kern.security.suser_enabled
|
* `suser_enabled' (which can be set by the security.suser_enabled
|
||||||
* sysctl) determines whether the system 'super-user' policy is in effect.
|
* sysctl) determines whether the system 'super-user' policy is in effect.
|
||||||
* If it is nonzero, an effective uid of 0 connotes special privilege,
|
* If it is nonzero, an effective uid of 0 connotes special privilege,
|
||||||
* overriding many mandatory and discretionary protections. If it is zero,
|
* overriding many mandatory and discretionary protections. If it is zero,
|
||||||
@ -1200,9 +1199,9 @@ groupmember(gid, cred)
|
|||||||
* consideration of the consequences.
|
* consideration of the consequences.
|
||||||
*/
|
*/
|
||||||
int suser_enabled = 1;
|
int suser_enabled = 1;
|
||||||
SYSCTL_INT(_kern_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW,
|
SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW,
|
||||||
&suser_enabled, 0, "processes with uid 0 have privilege");
|
&suser_enabled, 0, "processes with uid 0 have privilege");
|
||||||
TUNABLE_INT("kern.security.bsd.suser_enabled", &suser_enabled);
|
TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Test whether the specified credentials imply "super-user" privilege.
|
* Test whether the specified credentials imply "super-user" privilege.
|
||||||
@ -1312,7 +1311,7 @@ securelevel_ge(struct ucred *cr, int level)
|
|||||||
* XXX: data declarations should be together near the beginning of the file.
|
* XXX: data declarations should be together near the beginning of the file.
|
||||||
*/
|
*/
|
||||||
static int see_other_uids = 1;
|
static int see_other_uids = 1;
|
||||||
SYSCTL_INT(_kern_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
|
SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW,
|
||||||
&see_other_uids, 0,
|
&see_other_uids, 0,
|
||||||
"Unprivileged processes may see subjects/objects with different real uid");
|
"Unprivileged processes may see subjects/objects with different real uid");
|
||||||
|
|
||||||
@ -1491,7 +1490,7 @@ p_cansched(struct proc *p1, struct proc *p2)
|
|||||||
* XXX: data declarations should be together near the beginning of the file.
|
* XXX: data declarations should be together near the beginning of the file.
|
||||||
*/
|
*/
|
||||||
static int unprivileged_proc_debug = 1;
|
static int unprivileged_proc_debug = 1;
|
||||||
SYSCTL_INT(_kern_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW,
|
SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_proc_debug, CTLFLAG_RW,
|
||||||
&unprivileged_proc_debug, 0,
|
&unprivileged_proc_debug, 0,
|
||||||
"Unprivileged processes may use process debugging facilities");
|
"Unprivileged processes may use process debugging facilities");
|
||||||
|
|
||||||
|
|||||||
@ -819,10 +819,10 @@ msgbufinit(void *ptr, size_t size)
|
|||||||
oldp = msgbufp;
|
oldp = msgbufp;
|
||||||
}
|
}
|
||||||
|
|
||||||
SYSCTL_DECL(_kern_security_bsd);
|
SYSCTL_DECL(_security_bsd);
|
||||||
|
|
||||||
static int unprivileged_read_msgbuf = 1;
|
static int unprivileged_read_msgbuf = 1;
|
||||||
SYSCTL_INT(_kern_security_bsd, OID_AUTO, unprivileged_read_msgbuf,
|
SYSCTL_INT(_security_bsd, OID_AUTO, unprivileged_read_msgbuf,
|
||||||
CTLFLAG_RW, &unprivileged_read_msgbuf, 0,
|
CTLFLAG_RW, &unprivileged_read_msgbuf, 0,
|
||||||
"Unprivileged processes may read the kernel message buffer");
|
"Unprivileged processes may read the kernel message buffer");
|
||||||
|
|
||||||
|
|||||||
@ -233,7 +233,7 @@ script from within the jail.
|
|||||||
.Pp
|
.Pp
|
||||||
NOTE: If you plan to allow untrusted users to have root access inside the
|
NOTE: If you plan to allow untrusted users to have root access inside the
|
||||||
jail, you may wish to consider setting the
|
jail, you may wish to consider setting the
|
||||||
.Va kern.security.jail.set_hostname_allowed
|
.Va security.jail.set_hostname_allowed
|
||||||
to 0.
|
to 0.
|
||||||
Please see the management reasons why this is a good idea.
|
Please see the management reasons why this is a good idea.
|
||||||
If you do decide to set this variable,
|
If you do decide to set this variable,
|
||||||
@ -311,14 +311,14 @@ default, modified from within the jail, so the
|
|||||||
status entry is unreliable by default.
|
status entry is unreliable by default.
|
||||||
To disable the setting of the hostname
|
To disable the setting of the hostname
|
||||||
from within a jail, set the
|
from within a jail, set the
|
||||||
.Va kern.security.jail.set_hostname_allowed
|
.Va security.jail.set_hostname_allowed
|
||||||
sysctl variable in the host environment to 0, which will affect all jails.
|
sysctl variable in the host environment to 0, which will affect all jails.
|
||||||
You can have this sysctl set on each boot using
|
You can have this sysctl set on each boot using
|
||||||
.Xr sysctl.conf 5 .
|
.Xr sysctl.conf 5 .
|
||||||
Just add the following line to
|
Just add the following line to
|
||||||
.Pa /etc/sysctl.conf :
|
.Pa /etc/sysctl.conf :
|
||||||
.Pp
|
.Pp
|
||||||
.Dl kern.security.jail.set_hostname_allowed=0
|
.Dl security.jail.set_hostname_allowed=0
|
||||||
.Pp
|
.Pp
|
||||||
In a future version of
|
In a future version of
|
||||||
.Fx ,
|
.Fx ,
|
||||||
@ -332,7 +332,7 @@ MIB variables.
|
|||||||
Currently, these variables affect all jails on the system, although in
|
Currently, these variables affect all jails on the system, although in
|
||||||
the future this functionality may be finer grained.
|
the future this functionality may be finer grained.
|
||||||
.Bl -tag -width XXX
|
.Bl -tag -width XXX
|
||||||
.It Va kern.security.jail.set_hostname_allowed
|
.It Va security.jail.set_hostname_allowed
|
||||||
This MIB entry determines whether or not processes within a jail are
|
This MIB entry determines whether or not processes within a jail are
|
||||||
allowed to change their hostname via
|
allowed to change their hostname via
|
||||||
.Xr hostname 1
|
.Xr hostname 1
|
||||||
@ -344,7 +344,7 @@ information in
|
|||||||
.Pa /proc .
|
.Pa /proc .
|
||||||
As such, this should be disabled in environments where privileged access to
|
As such, this should be disabled in environments where privileged access to
|
||||||
jails is given out to untrusted parties.
|
jails is given out to untrusted parties.
|
||||||
.It Va kern.security.jail.socket_unixiproute_only
|
.It Va security.jail.socket_unixiproute_only
|
||||||
The jail functionality binds an IPv4 address to each jail, and limits
|
The jail functionality binds an IPv4 address to each jail, and limits
|
||||||
access to other network addresses in the IPv4 space that may be available
|
access to other network addresses in the IPv4 space that may be available
|
||||||
in the host environment.
|
in the host environment.
|
||||||
@ -361,7 +361,7 @@ domain sockets,
|
|||||||
IPv4 addresses, and routing sockets.
|
IPv4 addresses, and routing sockets.
|
||||||
To enable access to other domains, this MIB variable may be set to
|
To enable access to other domains, this MIB variable may be set to
|
||||||
0.
|
0.
|
||||||
.It Va kern.security.jail.sysvipc_allowed
|
.It Va security.jail.sysvipc_allowed
|
||||||
This MIB entry determines whether or not processes within a jail have access
|
This MIB entry determines whether or not processes within a jail have access
|
||||||
to System V IPC primitives.
|
to System V IPC primitives.
|
||||||
In the current jail implementation, System V primitives share a single
|
In the current jail implementation, System V primitives share a single
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user