Commit Graph

302 Commits

Author SHA1 Message Date
Jamie Gritton
5bf6dca2c6 jail: Don't allow substitution of valueless jail parameters.
PR:		256544
Reported by:	cryptogranny at gmail.com
2021-06-18 09:44:37 -07:00
Math Ieu
847b7d5054
Fix test case header function name
This restores the expected behavior (skip) when running with non-root user

MFC after:	3 days
Differential Revision:	https://reviews.freebsd.org/D30584
2021-06-02 12:13:57 +08:00
Fernando Apesteguía
8b1a5062e0 jail.conf(5): emphasize where to find jail parameters
Some people expect jail.conf(5) to have a list of jail parameters.
jail(8) contains a comprehensive list of all parameters to be used during jail
invocation or in jail.conf.

Highlighting where to look for jail parameters seems a reasonable solution.

PR:	244569
Reported by:	joneum@
Approved by: 0mp (manpages, mentor)
Reviewed by: debdrup
Differential Revision: https://reviews.freebsd.org/D28701
2021-04-18 17:58:16 +02:00
Jamie Gritton
8c1d956ffa jail: fix jail(8) synposis and usage message to match reality.
Reported by:	yuri
PR:		254741
MFC after:	5 days
2021-04-04 10:49:38 -07:00
Kyle Evans
466df976ba jail(8): reset to root cpuset before attaching to run commands
Recent changes have made it such that attaching to a jail will augment
the attaching process' cpu mask with the jail's cpuset. While this is
convenient for allowing the administrator to cpuset arbitrary programs
that will attach to a jail, this is decidedly not convenient for
executing long-running daemons during jail creation.

This change inserts a reset of the process cpuset to the root cpuset
between the fork and attach to execute a command. This allows commands
executed to have the widest mask possible, and the administrator can
cpuset(1) it back down inside the jail as needed.

With this applied, one should be able to change a jail's cpuset at
exec.poststart in addition to exec.created.  The former was made
difficult if jail(8) itself was running with a constrained set, as then
some processes may have been spawned inside the jail with a non-root
set.  The latter is the preferred option so that processes starting in
the jail are constrained appropriately up front.

Note that all system commands are still run with the process' initial
cpuset applied.

PR:		253724
MFC after:	3 days
Reviewed by:	jamie
Differential Revision:	https://reviews.freebsd.org/D29008
2021-03-04 13:28:53 -06:00
Alex Richardson
72692dfdfe usr.bin/jail: Fix tests when using kyua -v parallelism=N
These tests create jails with the same name, so they cannot be run in
parallel.

Reviewed By:	lwhsu
Differential Revision: https://reviews.freebsd.org/D28482
2021-02-04 17:56:55 +00:00
Mariusz Zaborski
05e1e482c7 jail: introduce per jail suser_enabled setting
The suser_enable sysctl allows to remove a privileged rights from uid 0.
This change introduce per jail setting which allow to make root a
normal user.

Reviewed by:	jamie
Previous version reviewed by:	kevans, emaste, markj, me_igalic.co
Discussed with:	pjd
Differential Revision:	https://reviews.freebsd.org/D27128
2020-11-18 21:07:08 +00:00
Jamie Gritton
0eb6603f6b Disregard jails in jail.conf that have bad parameters (parameter/variable
clash, or redefining name/jid).  The current behvaior, of merely warning
and moving on, can lead to unexpected behavior when a jail is created
without the offending parameter defined at all.
2020-08-27 17:04:55 +00:00
Jamie Gritton
bb4ec28922 Don't allow jail.conf variables to have the same names as jail parameters.
It was already not allowed in many cases, but crashed instead of giving an
error.

PR:		248444
2020-08-27 00:17:17 +00:00
Jamie Gritton
48c376a6f1 Back out r364791 to unbreak jails. Lesson learned: "compile and test" means
running the test on the same executable that you just compiled.

PR:		248444
Pointy hat to:	jamie
2020-08-26 18:35:32 +00:00
Jamie Gritton
177b077e57 Handle jail.conf variables that have the same names as parameters.
PR:		248444
Submitted by:	Akos Somfai
Reported by:	Markus Stoff
2020-08-26 00:42:59 +00:00
Ryan Moeller
66005c453d jail: Add exec.prepare and exec.release command hooks
This change introduces new jail command hooks that run before and after any
other actions.

The exec.prepare hook can be used for example to invoke a script that checks
if the jail's root exists, creating it if it does not. Since arbitrary
variables in jail.conf can be passed to the command, it can be pretty useful
for templating jails.

An example use case for exec.release would be to remove the filesystem of an
ephemeral jail.

The names "prepare" and "release" are borrowed from the names of similar hooks
in libvirt.

Reviewed by:	jamie, manpages, mmacy
Approved by:	mmacy (mentor)
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D24829
2020-05-14 23:38:11 +00:00
Eugene Grosbein
4e49fbcd37 jail(8): improve manual and usage information with more clear
description for "jail -e" mode to show that it does not take
additional jail name argument.

Reported by:		David Marec <david.marec@davenulle.org>
MFC after:		3 days
2020-04-17 10:12:11 +00:00
Andrew Turner
3a142cd10c Use memmove to copy within a buffer
jail(8) would try to use strcpy to remove the interface from the start of
an IP address. This is undefined, and on arm64 will result in unexpected
IPv6 addresses.

Fix this by using memmove top move the string.

PR:		245102
Reported by:	sbruno
MFC after:	2 weeks
Sponsored by:	Innovate UK
2020-04-01 09:51:29 +00:00
Ed Maste
1da495d063 revert r354935 and apply fix for cleandir failure
This reapplies the RISC-V GNU ld workaround from r354896, r354899, and
354900, along with a fix for the build failure during cleandir.

LINKER_TYPE was not being set during cleandir, resulting in
Malformed conditional (${LINKER_TYPE} == "bfd" && ${MACHINE} == "riscv")
from Cirrus-CI.

PR:		242109
Sponsored by:	The FreeBSD Foundation
2019-11-21 13:56:16 +00:00
Glen Barber
fb1c294d47 Revert r354896, r354899, r354900:
Fix build.

Sponsored by:	Rubicon Communications, LLC (netgate.com)
2019-11-21 04:12:08 +00:00
Li-Wen Hsu
7cef5cac04 Use the correct variable, also limit the scope to bfd
PR:		242109
Reported by:	jhb
Sponsored by:	The FreeBSD Foundation
2019-11-20 16:54:21 +00:00
Li-Wen Hsu
f10ddee841 Limit the workaround to riscv only
PR:		242109
Sponsored by:	The FreeBSD Foundation
2019-11-20 16:35:58 +00:00
Li-Wen Hsu
53c772bbd7 Workaround riscv64 build when using binutils 2.33.1
PR:		242109
Reviewed by:	bapt
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D22457
2019-11-20 16:20:49 +00:00
Andriy Gapon
5fda0d60c1 add ability to set watchdog timeout for a shutdown
This change allows to specify a watchdog(9) timeout for a system
shutdown.  The timeout is activated when the watchdogd daemon is
stopped.  The idea is to a prevent any indefinite hang during late
stages of the shutdown.  The feature is implemented in rc.d/watchdogd,
it builds upon watchdogd -x option.

Note that the shutdown timeout is not actiavted when the watchdogd
service is individually stopped by an operator.  It is also not
activated for the 'shutdown' to the single-user mode.  In those cases it
is assumed that the operator knows what they are doing and they have
means to recover the system should it hang.

Significant subchanges and implementation details:
- the argument to rc.shutdown, completely unused before, is assigned to
  rc_shutdown variable that can be inspected by rc scripts
- init(8) passes "single" or "reboot" as the argument, this is not
  changed
- the argument is not mandatory and if it is not set then rc_shutdown is
  set to "unspecified"
- however, the default jail management scripts and jail configuration
  examples have been updated to pass "jail" to rc.shutdown, just in case
- the new timeout can be set via watchdogd_shutdown_timeout rc option
- for consistency, the regular timeout can now be set via
  watchdogd_timeout rc option
- watchdogd_shutdown_timeout and watchdogd_timeout override timeout
  specifications in watchdogd_flags
- existing configurations, where the new rc options are not set, should
  keep working as before

I am not particularly wed to any of the implementation specifics.
I am open to changing or removing any of them as long as the provided
functionality is the same (or very close) to the proposed one.
For example, I think it can be implemented without using watchdogd -x,
by means of watchdog(1) alone.  In that case there would be a small
window between stopping watchdogd and running watchdog, but I think that
that is acceptable.

Reviewed by:	bcr (man page changes)
MFC after:	5 weeks
Relnotes:	yes
Differential Revision: https://reviews.freebsd.org/D21221
2019-10-03 11:23:10 +00:00
Michael Zhilin
cd38a86c63 [jail] removal by jid doesn't trigger pre/post stop scripts
This commit fixes bug: command "jail -r" didn't trigger pre/post stop
commands (and others) defined in config file if jid is specified insted of
name. Also it adds basic tests for usr.sbin/jail to avoid regression.

Reviewed by:	jamie, kevans, ray
MFC after:      5 days
Differential Revision: https://reviews.freebsd.org/D21328
2019-09-12 18:53:29 +00:00
Baptiste Daroussin
a9a39d4014 Stop linking to libl by specifying we do not need yywrap
MFC after: 3 days
2019-09-10 07:25:37 +00:00
Brooks Davis
ffda67901e Change ed(4), ep(4), and fxp(4) examples to em(4).
ed(4) and ep(4) have been removed. fxp(4) remains popular in older
systems, but isn't as future proof as em(4).

Reviewed by:	bz, jhb
MFC after:	3 days
Differential Revision:	https://reviews.freebsd.org/D20311
2019-05-18 21:01:36 +00:00
Dmitry Morozovsky
be659d72bb Clarify error messages a bit.
X-Found-With:	r343112
MFC after:	1 month
2019-01-18 23:00:52 +00:00
Eugene Grosbein
bd24e861b4 jail(8): stop crashing with SIGSEGV inside run_command() function
while processing not entirely correct jail.conf(5) file
having something like "ip4.addr = 127.0.0.1;" and no "ip4 = ...;"
so extrap variable stays NULL.

Reported by:	marck
MFC after:	1 month
2019-01-17 14:09:55 +00:00
Jamie Gritton
b307954481 In hardened systems, where the security.bsd.unprivileged_proc_debug sysctl
node is set, allow setting security.bsd.unprivileged_proc_debug per-jail.
In part, this is needed to create jails in which the Address Sanitizer
(ASAN) fully works as ASAN utilizes libkvm to inspect the virtual address
space. Instead of having to allow unprivileged process debugging for the
entire system, allow setting it on a per-jail basis.

The sysctl node is still security.bsd.unprivileged_proc_debug and the
jail(8) param is allow.unprivileged_proc_debug. The sysctl code is now a
sysctl proc rather than a sysctl int. This allows us to determine setting
the flag for the corresponding jail (or prison0).

As part of the change, the dynamic allow.* API needed to be modified to
take into account pr_allow flags which may now be disabled in prison0.
This prevents conflicts with new pr_allow flags (like that of vmm(4)) that
are added (and removed) dynamically.

Also teach the jail creation KPI to allow differences for certain pr_allow
flags between the parent and child jail. This can happen when unprivileged
process debugging is disabled in the parent prison, but enabled in the
child.

Submitted by:	Shawn Webb <lattera at gmail.com>
Obtained from:	HardenedBSD (45b3625edba0f73b3e3890b1ec3d0d1e95fd47e1, deba0b5078cef0faae43cbdafed3035b16587afc, ab21eeb3b4c72f2500987c96ff603ccf3b6e7de8)
Relnotes:	yes
Sponsored by:	HardenedBSD and G2, Inc
Differential Revision:	https://reviews.freebsd.org/D18319
2018-11-27 17:51:50 +00:00
Eugene Grosbein
1e1a4743ba jail(8): introduce new command option -e to exhibit
a list of configured non-wildcard jails with their parameters,
no matter running or not.

The option -e takes separator argument that is used
to separate printed parameters. It will be used with following
additions to system periodic scripts to differentiate parts
of directory tree belonging jails as opposed to host's.

MFC after:	1 month
2018-11-10 12:03:57 +00:00
Jamie Gritton
4520f617c9 Fix typos from r339409.
Reported by:	maxim
Approved by:	re (gjb)
2018-10-18 15:02:57 +00:00
Jamie Gritton
b19d66fd5a Add a new jail permission, allow.read_msgbuf. When true, jailed processes
can see the dmesg buffer (this is the current behavior).  When false (the
new default), dmesg will be unavailable to jailed users, whether root or
not.

The security.bsd.unprivileged_read_msgbuf sysctl still works as before,
controlling system-wide whether non-root users can see the buffer.

PR:		211580
Submitted by:	bz
Approved by:	re@ (kib@)
MFC after:	3 days
2018-10-17 16:11:43 +00:00
Bjoern Heidotting
951de5548b In r324732 sysinstall was replaced by bsdinstall.
However, for post-install configuration, bsdinstall
is not of much use. Point the user to bsdconfig instead.

Reviewed by:	0mp, bcr
Approved by:	0mp, bcr
Differential Revision:	https://reviews.freebsd.org/D16751
2018-08-20 18:17:50 +00:00
Jamie Gritton
07ebf3dd69 security.jail.enforce_statfs is handled by jail_set(2), so handling it in
userspace jail(8) is redundant.

Differential Revision:	D14791
2018-08-16 18:30:49 +00:00
Jamie Gritton
92bceb9756 Don't let clobber jailparam values when checking for modification of
init-only parameters.

Compare string parameter values with strncmp, not memcmp.

PR:		230487
Reported by:	Jason Mader
MFC after:	3 days
2018-08-15 20:23:17 +00:00
Alexander Leidinger
f6c0e63bf7 - Add exec hook "exec.created". This is called when the jail is
created and before exec.start is called.			[1]
- Bump __FreeBSD_version.

This allows to attach ZFS datasets and various other things to be
done before any command/service/rc-script is started in the new
jail.

PR:			228066					[1]
Reviewed by:		jamie					[1]
Submitted by:		Stefan Grönke <stefan@gronke.net>	[1]
Differential Revision:	https://reviews.freebsd.org/D15330	[1]
2018-08-15 18:35:42 +00:00
Marcelo Araujo
be963beee6 - Add the ability to run bhyve(8) within a jail(8).
This patch adds a new sysctl(8) knob "security.jail.vmm_allowed",
by default this option is disable.

Submitted by:	Shawn Webb <shawn.webb____hardenedbsd.org>
Reviewed by:	jamie@ and myself.
Relnotes:	Yes.
Sponsored by:	HardenedBSD and G2, Inc.
Differential Revision:	https://reviews.freebsd.org/D16057
2018-08-01 00:39:21 +00:00
Antoine Brodin
ccd6ac9f6e Add allow.mlock to jail parameters
It allows locking or unlocking physical pages in memory within a jail

This allows running elasticsearch with "bootstrap.memory_lock" inside a jail

Reviewed by:	jamie@
Differential Revision:	https://reviews.freebsd.org/D16342
2018-07-29 12:41:56 +00:00
Alan Somers
5717aa2d2a Allow mounting FUSE filesystems in jails
Reviewed by:	jamie
MFC after:	2 weeks
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D16371
2018-07-20 21:35:31 +00:00
Jamie Gritton
0e5c6bd436 Make it easier for filesystems to count themselves as jail-enabled,
by doing most of the work in a new function prison_add_vfs in kern_jail.c
Now a jail-enabled filesystem need only mark itself with VFCF_JAIL, and
the rest is taken care of.  This includes adding a jail parameter like
allow.mount.foofs, and a sysctl like security.jail.mount_foofs_allowed.
Both of these used to be a static list of known filesystems, with
predefined permission bits.

Reviewed by:	kib
Differential Revision:	D14681
2018-05-04 20:54:27 +00:00
Pedro F. Giffuni
1de7b4b805 various: general adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

No functional change intended.
2017-11-27 15:37:16 +00:00
Ed Maste
72130735d8 Strip EOL whitespace in usr.sbin/{jail,jexec} 2017-11-10 14:53:16 +00:00
Bryan Drewery
ea825d0274 DIRDEPS_BUILD: Update dependencies.
Sponsored by:	Dell EMC Isilon
2017-10-31 00:07:04 +00:00
Benjamin Kaduk
72cc0b3d93 Adopt jail.8 to our brave new bsdinstall world
Submitted by:	Steve Kargl
MFC after:	3 days
2017-10-18 22:56:46 +00:00
Allan Jude
e28f9b7d03 Jails: Optionally prevent jailed root from binding to privileged ports
You may now optionally specify allow.noreserved_ports to prevent root
inside a jail from using privileged ports (less than 1024)

PR:		217728
Submitted by:	Matt Miller <mattm916@pulsar.neomailbox.ch>
Reviewed by:	jamie, cem, smh
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D10202
2017-06-06 02:15:00 +00:00
Jamie Gritton
6bd211bb87 Same as r316022 (Fix hexadecimal escape codes in jail.conf(5)),
but do it right this time.

Reported by:	Kyle Evans <Kyle Evans>
MFC after:	3 days
2017-03-27 13:37:40 +00:00
Jamie Gritton
acf8ec5684 Fix hexadecimal escape codes in jail.conf(5).
PR:		218154
Submitted by:	Masahiro Konishi <mkonishi@sea.plala.or.jp>
MFC after:	3 days
2017-03-27 13:27:39 +00:00
Xin LI
760f2905be Don't assign rtjp twice.
Reported by:	clang static analyzer
MFC after:	2 weeks
2016-12-26 19:27:12 +00:00
Jamie Gritton
4c86c0fa98 Fix up the order in which jail creation processes are run, to preserve
the config file's order in the non-parallel-start case.

PR:		209112
MFC after:	3 days
2016-07-14 20:15:55 +00:00
Jamie Gritton
a8702c8383 typo
Submitted by:	Jimmy Olgeni
2016-05-01 16:48:03 +00:00
Pedro F. Giffuni
b5635ba0a2 usr.sbin: minor spelling fixes on comments.
No functional change.
2016-05-01 16:41:25 +00:00
Jamie Gritton
ab9604e1bb Clarify when happens when there is a "depend" parameter in jail.conf,
and how this affects the "jail_list" option in rc.conf.
2016-04-30 21:27:41 +00:00
Jamie Gritton
52a510ace9 Encapsulate SYSV IPC objects in jails. Define per-module parameters
sysvmsg, sysvsem, and sysvshm, with the following bahavior:

inherit: allow full access to the IPC primitives.  This is the same as
the current setup with allow.sysvipc is on.  Jails and the base system
can see (and moduly) each other's objects, which is generally considered
a bad thing (though may be useful in some circumstances).

disable: all no access, same as the current setup with allow.sysvipc off.

new: A jail may see use the IPC objects that it has created.  It also
gets its own IPC key namespace, so different jails may have their own
objects using the same key value.  The parent jail (or base system) can
see the jail's IPC objects, but not its keys.

PR:		48471
Submitted by:	based on work by kikuchan98@gmail.com
MFC after:	5 days
2016-04-25 17:06:50 +00:00