freebsd-nq/usr.sbin/jail
Jamie Gritton b307954481 In hardened systems, where the security.bsd.unprivileged_proc_debug sysctl
node is set, allow setting security.bsd.unprivileged_proc_debug per-jail.
In part, this is needed to create jails in which the Address Sanitizer
(ASAN) fully works as ASAN utilizes libkvm to inspect the virtual address
space. Instead of having to allow unprivileged process debugging for the
entire system, allow setting it on a per-jail basis.

The sysctl node is still security.bsd.unprivileged_proc_debug and the
jail(8) param is allow.unprivileged_proc_debug. The sysctl code is now a
sysctl proc rather than a sysctl int. This allows us to determine setting
the flag for the corresponding jail (or prison0).

As part of the change, the dynamic allow.* API needed to be modified to
take into account pr_allow flags which may now be disabled in prison0.
This prevents conflicts with new pr_allow flags (like that of vmm(4)) that
are added (and removed) dynamically.

Also teach the jail creation KPI to allow differences for certain pr_allow
flags between the parent and child jail. This can happen when unprivileged
process debugging is disabled in the parent prison, but enabled in the
child.

Submitted by:	Shawn Webb <lattera at gmail.com>
Obtained from:	HardenedBSD (45b3625edba0f73b3e3890b1ec3d0d1e95fd47e1, deba0b5078cef0faae43cbdafed3035b16587afc, ab21eeb3b4c72f2500987c96ff603ccf3b6e7de8)
Relnotes:	yes
Sponsored by:	HardenedBSD and G2, Inc
Differential Revision:	https://reviews.freebsd.org/D18319
2018-11-27 17:51:50 +00:00
..
command.c - Add exec hook "exec.created". This is called when the jail is 2018-08-15 18:35:42 +00:00
config.c security.jail.enforce_statfs is handled by jail_set(2), so handling it in 2018-08-16 18:30:49 +00:00
jail.8 In hardened systems, where the security.bsd.unprivileged_proc_debug sysctl 2018-11-27 17:51:50 +00:00
jail.c jail(8): introduce new command option -e to exhibit 2018-11-10 12:03:57 +00:00
jail.conf.5 Remove man page references to rndassociates.com, which has been taken over 2016-02-10 14:48:49 +00:00
jaillex.l various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
jailp.h jail(8): introduce new command option -e to exhibit 2018-11-10 12:03:57 +00:00
jailparse.y various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
Makefile Add a package for jail(8) and related utilities. 2016-01-20 17:07:13 +00:00
Makefile.depend DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
state.c various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00