(Cross-posting to -arch and -jail for maximum reach) Hi,
A couple of times recently, I've had a need or desire to increase or decrease privileges available to jails I create to some extent. You can write a MAC policy for this, but at some point the downsides of MAC policies for this became clear: it's either non-trivial to allow the kind of flexibility you may need in configuring some of these jails, and you have to rebuild the module otherwise. I've got a generally functional patch at [1] that is an approach I'd like to request comments on for refining jail privileges. It creates a privset that can be assigned on a per-jail basis, and a creator with PRIV_JAIL_SETPRIVS can specify any privset mask that's a subset of the parent prison. If no privset was specified at creation time, then we use the default logic that was previously in prison_priv_check(). prison_priv_check() has been replaced with a much simpler check of the prison's privset for the given privilege. As I was writing this, I identified the first problem with it: it doesn't currently respond to ALLOW_* updates and grant the appropriate privileges after initialization time -- this is a pretty easy fix, and I will do so if anyone else finds this useful. The other caveat is that I have no idea if there's a useful way to expose this to jail(8) users, but they're not really the primary target for this -- the primary target is system application developers that want more fine control over what a jail they're creating can do. This is an excellent foot-gun, but with great power comes great responsibility. Thanks, Kyle Evans [1] https://people.freebsd.org/~kevans/privset.diff _______________________________________________ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"