Revert "jail: Optionally allow audit session state to be configured in a jail"

Changing audit system calls to return EPERM instead of ENOSYS when
invoked from a jail breaks some userspace applications.  Revert for now
until a more complete change is reviewed.

This reverts commit 246d7e9fc2.

PR:		289645
This commit is contained in:
Mark Johnston
2025-09-16 13:43:47 +00:00
parent 9b8224b950
commit 1c3ca0c733
5 changed files with 18 additions and 49 deletions
+1 -12
View File
@@ -243,9 +243,6 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = {
{"allow.unprivileged_parent_tampering",
"allow.nounprivileged_parent_tampering",
PR_ALLOW_UNPRIV_PARENT_TAMPER},
#ifdef AUDIT
{"allow.setaudit", "allow.nosetaudit", PR_ALLOW_SETAUDIT},
#endif
};
static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC;
const size_t pr_flag_allow_size = sizeof(pr_flag_allow);
@@ -4292,6 +4289,7 @@ prison_priv_check(struct ucred *cred, int priv)
*/
case PRIV_KTRACE:
#if 0
/*
* Allow jailed processes to configure audit identity and
* submit audit records (login, etc). In the future we may
@@ -4300,11 +4298,6 @@ prison_priv_check(struct ucred *cred, int priv)
*/
case PRIV_AUDIT_GETAUDIT:
case PRIV_AUDIT_SETAUDIT:
if (cred->cr_prison->pr_allow & PR_ALLOW_SETAUDIT)
return (0);
else
return (EPERM);
#if 0
case PRIV_AUDIT_SUBMIT:
#endif
@@ -5041,10 +5034,6 @@ SYSCTL_JAIL_PARAM(_allow, settime, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may set system time");
SYSCTL_JAIL_PARAM(_allow, routing, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may modify routing table");
#ifdef AUDIT
SYSCTL_JAIL_PARAM(_allow, setaudit, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may set and get audit session state");
#endif
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
+12
View File
@@ -592,6 +592,8 @@ sys_getauid(struct thread *td, struct getauid_args *uap)
{
int error;
if (jailed(td->td_ucred))
return (ENOSYS);
error = priv_check(td, PRIV_AUDIT_GETAUDIT);
if (error)
return (error);
@@ -607,6 +609,8 @@ sys_setauid(struct thread *td, struct setauid_args *uap)
au_id_t id;
int error;
if (jailed(td->td_ucred))
return (ENOSYS);
error = copyin(uap->auid, &id, sizeof(id));
if (error)
return (error);
@@ -646,6 +650,8 @@ sys_getaudit(struct thread *td, struct getaudit_args *uap)
int error;
cred = td->td_ucred;
if (jailed(cred))
return (ENOSYS);
error = priv_check(td, PRIV_AUDIT_GETAUDIT);
if (error)
return (error);
@@ -668,6 +674,8 @@ sys_setaudit(struct thread *td, struct setaudit_args *uap)
struct auditinfo ai;
int error;
if (jailed(td->td_ucred))
return (ENOSYS);
error = copyin(uap->auditinfo, &ai, sizeof(ai));
if (error)
return (error);
@@ -707,6 +715,8 @@ sys_getaudit_addr(struct thread *td, struct getaudit_addr_args *uap)
{
int error;
if (jailed(td->td_ucred))
return (ENOSYS);
if (uap->length < sizeof(*uap->auditinfo_addr))
return (EOVERFLOW);
error = priv_check(td, PRIV_AUDIT_GETAUDIT);
@@ -724,6 +734,8 @@ sys_setaudit_addr(struct thread *td, struct setaudit_addr_args *uap)
struct auditinfo_addr aia;
int error;
if (jailed(td->td_ucred))
return (ENOSYS);
error = copyin(uap->auditinfo_addr, &aia, sizeof(aia));
if (error)
return (error);
+1 -2
View File
@@ -271,7 +271,6 @@ struct prison_racct {
#define PR_ALLOW_SETTIME 0x00100000
#define PR_ALLOW_ROUTING 0x00200000
#define PR_ALLOW_UNPRIV_PARENT_TAMPER 0x00400000
#define PR_ALLOW_SETAUDIT 0x00800000
/*
* PR_ALLOW_PRISON0 are the allow flags that we apply by default to prison0,
@@ -279,7 +278,7 @@ struct prison_racct {
* build time. PR_ALLOW_ALL_STATIC should contain any bit above that we expect
* to be used on the system, while PR_ALLOW_PRISON0 will be some subset of that.
*/
#define PR_ALLOW_ALL_STATIC 0x00ff87ff
#define PR_ALLOW_ALL_STATIC 0x007f87ff
#define PR_ALLOW_PRISON0 \
(PR_ALLOW_ALL_STATIC & ~(PR_ALLOW_UNPRIV_PARENT_TAMPER))
+4 -15
View File
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd September 15, 2025
.Dd August 7, 2025
.Dt JAIL 8
.Os
.Sh NAME
@@ -702,15 +702,15 @@ The super-user will be disabled automatically if its parent system has it
disabled.
The super-user is enabled by default.
.It Va allow.extattr
Allow privileged processes in the jail to manipulate filesystem extended
Allow privileged process in the jail to manipulate filesystem extended
attributes in the system namespace.
.It Va allow.adjtime
Allow privileged processes in the jail to slowly adjusting global operating system
Allow privileged process in the jail to slowly adjusting global operating system
time.
For example through utilities like
.Xr ntpd 8 .
.It Va allow.settime
Allow privileged processes in the jail to set global operating system data
Allow privileged process in the jail to set global operating system data
and time.
For example through utilities like
.Xr date 1 .
@@ -719,17 +719,6 @@ This permission includes also
.It Va allow.routing
Allow privileged process in the non-VNET jail to modify the system routing
table.
.It Va allow.setaudit
Allow privileged processes in the jail to set
.Xr audit 4
session state using
.Xr setaudit 2
and related system calls.
This is useful, for example, for allowing a jailed
.Xr sshd 8
to set the audit user ID for an authenticated session.
However, it gives jailed processes the ability to modify or disable audit
session state, so should be configured with care.
.El
.El
.Pp
-20
View File
@@ -306,25 +306,6 @@ param_consistency_cleanup()
fi
}
atf_test_case "setaudit"
setaudit_head()
{
atf_set descr 'Test that setaudit works in a jail when configured with allow.setaudit'
atf_set require.user root
atf_set require.progs setaudit
}
setaudit_body()
{
# Try to modify the audit mask within a jail without
# allow.setaudit configured.
atf_check -s not-exit:0 -o empty -e not-empty jail -c name=setaudit_jail \
command=setaudit -m fr ls /
# The command should succeed if allow.setaudit is configured.
atf_check -s exit:0 -o ignore -e empty jail -c name=setaudit_jail \
allow.setaudit command=setaudit -m fr ls /
}
atf_init_test_cases()
{
atf_add_test_case "basic"
@@ -333,5 +314,4 @@ atf_init_test_cases()
atf_add_test_case "commands"
atf_add_test_case "jid_name_set"
atf_add_test_case "param_consistency"
atf_add_test_case "setaudit"
}