Re: RFC: Jail privsets

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Re: RFC: Jail privsets

Kyle Evans-3
On Sun, Nov 29, 2020 at 6:51 AM Bjoern A. Zeeb <[hidden email]> wrote:

> On 28 Nov 2020, at 14:39, Kyle Evans wrote:
> Hi,
> Cc: jamie explicitly as he might have thoughts as well.
> > Yeah, so jail sets are a little tricky, and to be honest I haven't
> > really thought about how to cope with common jail sets. The
> > complication arises because you have various allow flags that
> > typically default to off and turn privileges on, but your common sets
> > would have to include them. So, you'd probably end up with:
> >
> > privset 0: All privs available to the superuser (not considering
> > superuser policy just yet)
> > privset 1: All privs available to jails (assuming most permissive, all
> > allow flags on and assuming a new vnet on VIMAGE systems)
> >
> > So jails would typically inherit privset 1, but they'd have to mask
> > out based on vnet/allow flags out of necessity. Now, that's not
> > terrible, but I think we'd have to do a couple more things to reduce
> > maintenance burden on folks introducing privs:
> >
> > 1.) Clearly define a central table that maps pr_flags <-> privs where
> > there's a 1:1 mapping (most common, though PRIV_VFS_*MOUNT* are a
> > little more complicated)
> > 2.) Walk said table when we're defining privs in privset 1
> > 3.) Walk said table when we're determining what to mask out
> >
> > I suspect the vnet set is large enough that we'd just have a separate
> > kernel-internal mask for "vnet privs". In any event, for most people,
> > there will be one of three places that you might touch when adding a
> > new priv flag or pr_flag mapping to a priv, but it should still be
> > obvious what you want: either you want a conditionally added flag, you
> > want to influence the default jail policy, or you want to change the
> > vnet policy. The latter two scenarios might even be a little easier,
> > because you don't need to wade through these gigantic switch
> > statements with a lot of cases to determine where you really want it
> > to go.
> I think this is all terribly too complicated.
> If we’ll have manageable fine-grained priv system, them retire allow and
> vnet checks for PRIV_* checks and be done with it.  If we need new PRIV_*
> checks to accomplish that adding PRIV_* is semi-cheap to add.
> The big switch statements in kern_jail.c will go as the applied priv set
> will do the right thing already, which means at this point we’d have
> a base-system-privset, a classic-jail-privset, a vnet-jail-privset by
> default probably.
> If we want to keep allow* in jails we can probably make them compat code
> to adjust PRIV_* but I am not sure I’d want jail to still do that or a
> separate priv command (a la cpuset).
> Means jails become simple again and a lot of the complicate logic can
> drop out.

Sure- I'm not so sure about vnet, but all of the allow flags could get
deprecated in favor of describing the privs available somewhere and
letting admin make decisions. I think the vnet set still makes a lot
of sense unless you're also proposing that we could just create new
vnets if one of those privileges is turned on -- in which case, we'd
still have to manage the set, but it wouldn't be used much beyond a
hint mask that we need to create a vnet.

> >> And yes, that would indeed simplify our jail and network stack (and some
> >> other)
> >> code quite a bit.
> >>
> >> I’d love this (step-by-step or in whole right away) :-)
> >>
> >
> > :-)
> >
> > I'm looking to see if I can define a useful abstraction from
> > cpuset/domainset that would limit the amount of duplication needed for
> > this, then I'll post a v2 to Phabricator.
> There’s probably edge cases in which managing privsets will be a priv as
> well and we’ll probably need multiple cases:  one that can still “widen”
> priv and one that can only copy-and-further-restrict-only.  The latter
> probably being the default.

True enough.
[hidden email] mailing list
To unsubscribe, send any mail to "[hidden email]"