Add a new sysctl, "security.jail.chflags_allowed", which controls the

behaviour of chflags within a jail. If set to 0 (the default), then a jailed root user is treated as an unprivileged user; if set to 1, then a jailed root user is treated the same as an unjailed root user. This is necessary to allow "make installworld" to work inside a jail, since it attempts to manipulate the system immutable flag on certain files. Discussed with: csjp, rwatson MFC after: 2 weeks
2005-02-08 21:31:11 +00:00 · 2005-02-08 21:31:11 +00:00 · 30beb7d8e4
commit 30beb7d8e4
parent e64e9f38d4
4 changed files with 24 additions and 4 deletions
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@ -67,6 +67,11 @@ SYSCTL_INT(_security_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW,
    &jail_allow_raw_sockets, 0,
    "Prison root can create raw sockets");

+int	jail_chflags_allowed = 0;
+SYSCTL_INT(_security_jail, OID_AUTO, chflags_allowed, CTLFLAG_RW,
+    &jail_chflags_allowed, 0,
+    "Processes in jail can alter system file flags");
+
 /* allprison, lastprid, and prisoncount are protected by allprison_mtx. */
 struct	prisonlist allprison;
 struct	mtx allprison_mtx;
--- a/sys/sys/jail.h
+++ b/sys/sys/jail.h
@ -83,6 +83,7 @@ extern int	jail_socket_unixiproute_only;
 extern int	jail_sysvipc_allowed;
 extern int	jail_getfsstat_jailrootonly;
 extern int	jail_allow_raw_sockets;
+extern int	jail_chflags_allowed;

 LIST_HEAD(prisonlist, prison);
 extern struct	prisonlist allprison;
--- a/sys/ufs/ufs/ufs_vnops.c
+++ b/sys/ufs/ufs/ufs_vnops.c
@ -61,6 +61,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/conf.h>
 #include <sys/acl.h>
 #include <sys/mac.h>
+#include <sys/jail.h>

 #include <machine/mutex.h>

@ -472,13 +473,17 @@ ufs_setattr(ap)
 		if ((error = VOP_ACCESS(vp, VADMIN, cred, td)))
 			return (error);
 		/*
-		 * Unprivileged processes and privileged processes in
-		 * jail() are not permitted to unset system flags, or
-		 * modify flags if any system flags are set.
+		 * Unprivileged processes are not permitted to unset system
+		 * flags, or modify flags if any system flags are set.
 		 * Privileged non-jail processes may not modify system flags
 		 * if securelevel > 0 and any existing system flags are set.
+		 * Privileged jail processes behave like privileged non-jail
+		 * processes if the security.jail.chflags_allowed sysctl is
+		 * is non-zero; otherwise, they behave like unprivileged
+		 * processes.
 		 */
-		if (!suser_cred(cred, 0)) {
+		if (!suser_cred(cred,
+		    jail_chflags_allowed ? SUSER_ALLOWJAIL : 0)) {
 			if (ip->i_flags
 			    & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) {
 				error = securelevel_gt(cred, 0);
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@ -497,6 +497,15 @@ within a jail would be able to communicate with (and potentially interfere
 with) processes outside of the jail, and in other jails.
 As such, this functionality is disabled by default, but can be enabled
 by setting this MIB entry to 1.
+.It Va security.jail.chflags_allowed
+This MIB entry determines how a privileged user inside a jail will be 
+treated by
+.Xr chflags 2 .
+If zero, such users are treated as unprivileged, and are unable to set
+or clear system file flags; if non-zero, such users are treated as 
+privileged, and may manipulate system file flags subject to the usual
+constaints on
+.Va kern.securelevel .
 .El
 .Pp
 There are currently two MIB related variables that have per-jail settings.