Files
src/sys/security/mac/mac_prison.c
T
Kyle Evans 8254b0dec0 kern: mac: add various jail MAC hooks
This adds the following hooks:
 - mpo_prison_check_attach: check for subject capability to attach to
    a given jail
 - mpo_prison_check_create: check for subject capability to create a
    jail with the given option set
 - mpo_prison_check_get: check for subject capability to fetch the
    given parameters for a jail
 - mpo_prison_check_set: check for subject capability to set the
    given parameters for a jail
 - mpo_prison_check_remove: check for subject capability to remove the
    jail

check_get wouldn't typically be a privileged operation, but is included
to give MAC policies a wider range of capabilities at a relatively low
cost.  We also add two more for the purpose of label propagation:
 - mpo_prison_created: surface the creation of a jail so that one can
    do propagation to, e.g., the root vnode or any mounts
 - mpo_prison_attached: attach an existing process to the jail so that
    one can propagate the jail label to the process, as appropriate.

It is unclear if this is preferred vs. having separate associate entry
points for each type of object we might associate.  That would split
these up like so:

 - prison_created -> prison_associate_vnode
 - prison_attached -> prison_associate_proc

Some sample policy ideas that should be feasible to implement with this
set of hooks, in case it's inspiring:
 - mac_bomb: policy that allows a poudriere user to construct jails
    without root privilege, given a restricted set of jail parameters.
    Slap a warning label on it.
 - mac_capsule: policy that realizes the capsule idea that I pitched[0]
    on -jail@ to create jails that are effectively immutable once
    sealed, using these hooks and a label.

Perhaps a silly idea, but a downstream could consider a scenario where
it can implement special jail enumeration using a MAC policy and a
cooperating application that specifies non-parameter options to filter
the results.

[0] https://lists.freebsd.org/archives/freebsd-jail/2025-September/000550.html

Reviewed by:	olce (slightly earlier version)
Differential Revision:	https://reviews.freebsd.org/D53954
2026-01-15 18:23:39 -06:00

232 lines
5.2 KiB
C

/*-
* Copyright (c) 2025 Kyle Evans <kevans@FreeBSD.org>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
#include <sys/cdefs.h>
#include "opt_mac.h"
#include <sys/param.h>
#include <sys/condvar.h>
#include <sys/imgact.h>
#include <sys/jail.h>
#include <sys/kernel.h>
#include <sys/lock.h>
#include <sys/malloc.h>
#include <sys/mutex.h>
#include <sys/mac.h>
#include <sys/proc.h>
#include <sys/sbuf.h>
#include <sys/sdt.h>
#include <sys/systm.h>
#include <sys/vnode.h>
#include <sys/mount.h>
#include <sys/file.h>
#include <sys/namei.h>
#include <sys/sysctl.h>
#include <security/mac/mac_framework.h>
#include <security/mac/mac_internal.h>
#include <security/mac/mac_policy.h>
static void
mac_prison_label_free(struct label *label)
{
if (label == NULL)
return;
MAC_POLICY_PERFORM_NOSLEEP(prison_destroy_label, label);
mac_labelzone_free(label);
}
static struct label *
mac_prison_label_alloc(int flag)
{
struct label *label;
int error;
label = mac_labelzone_alloc(flag);
if (label == NULL)
return (NULL);
if (flag & M_WAITOK)
MAC_POLICY_CHECK(prison_init_label, label, flag);
else
MAC_POLICY_CHECK_NOSLEEP(prison_init_label, label, flag);
if (error) {
mac_prison_label_free(label);
return (NULL);
}
return (label);
}
/*
* The caller's expecting us to return with the prison locked if we were
* successful, since we're also setting pr->pr_label. On error, it remains
* unlocked.
*/
int
mac_prison_init(struct prison *pr, int flag)
{
struct label *prlabel;
mtx_assert(&pr->pr_mtx, MA_NOTOWNED);
if ((mac_labeled & MPC_OBJECT_PRISON) == 0) {
mtx_lock(&pr->pr_mtx);
pr->pr_label = NULL;
return (0);
}
prlabel = mac_prison_label_alloc(flag);
if (prlabel == NULL) {
KASSERT((flag & M_WAITOK) == 0,
("MAC policy prison_init_label failed under M_WAITOK"));
return (ENOMEM);
}
mtx_lock(&pr->pr_mtx);
pr->pr_label = prlabel;
return (0);
}
void
mac_prison_destroy(struct prison *pr)
{
mtx_assert(&pr->pr_mtx, MA_OWNED);
mac_prison_label_free(pr->pr_label);
pr->pr_label = NULL;
}
int
mac_prison_externalize_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen)
{
int error;
MAC_POLICY_EXTERNALIZE(prison, label, elements, outbuf, outbuflen);
return (error);
}
int
mac_prison_internalize_label(struct label *label, char *string)
{
int error;
MAC_POLICY_INTERNALIZE(prison, label, string);
return (error);
}
void
mac_prison_relabel(struct ucred *cred, struct prison *pr,
struct label *newlabel)
{
mtx_assert(&pr->pr_mtx, MA_OWNED);
MAC_POLICY_PERFORM_NOSLEEP(prison_relabel, cred, pr, pr->pr_label,
newlabel);
}
MAC_CHECK_PROBE_DEFINE4(prison_check_relabel, "struct ucred *",
"struct prison *", "struct label *", "struct label *");
int
mac_prison_check_relabel(struct ucred *cred, struct prison *pr,
struct label *newlabel)
{
int error;
mtx_assert(&pr->pr_mtx, MA_OWNED);
MAC_POLICY_CHECK_NOSLEEP(prison_check_relabel, cred, pr,
pr->pr_label, newlabel);
MAC_CHECK_PROBE4(prison_check_relabel, error, cred, pr,
pr->pr_label, newlabel);
return (error);
}
MAC_CHECK_PROBE_DEFINE3(prison_check_attach, "struct ucred *",
"struct prison *", "struct label *");
int
mac_prison_check_attach(struct ucred *cred, struct prison *pr)
{
int error;
MAC_POLICY_CHECK_NOSLEEP(prison_check_attach, cred, pr, pr->pr_label);
MAC_CHECK_PROBE3(prison_check_attach, error, cred, pr, pr->pr_label);
return (error);
}
MAC_CHECK_PROBE_DEFINE3(prison_check_create, "struct ucred *",
"struct vfsoptlist *", "int");
int
mac_prison_check_create(struct ucred *cred, struct vfsoptlist *opts,
int flags)
{
int error;
MAC_POLICY_CHECK_NOSLEEP(prison_check_create, cred, opts, flags);
MAC_CHECK_PROBE3(prison_check_create, error, cred, opts, flags);
return (error);
}
MAC_CHECK_PROBE_DEFINE5(prison_check_get, "struct ucred *",
"struct prison *", "struct label *", "struct vfsoptlist *", "int");
int
mac_prison_check_get(struct ucred *cred, struct prison *pr,
struct vfsoptlist *opts, int flags)
{
int error;
MAC_POLICY_CHECK_NOSLEEP(prison_check_get, cred, pr, pr->pr_label,
opts, flags);
MAC_CHECK_PROBE5(prison_check_get, error, cred, pr, pr->pr_label, opts,
flags);
return (error);
}
MAC_CHECK_PROBE_DEFINE5(prison_check_set, "struct ucred *",
"struct prison *", "struct label *", "struct vfsoptlist *", "int");
int
mac_prison_check_set(struct ucred *cred, struct prison *pr,
struct vfsoptlist *opts, int flags)
{
int error;
MAC_POLICY_CHECK_NOSLEEP(prison_check_set, cred, pr, pr->pr_label,
opts, flags);
MAC_CHECK_PROBE5(prison_check_set, error, cred, pr, pr->pr_label, opts,
flags);
return (error);
}
MAC_CHECK_PROBE_DEFINE3(prison_check_remove, "struct ucred *",
"struct prison *", "struct label *");
int
mac_prison_check_remove(struct ucred *cred, struct prison *pr)
{
int error;
MAC_POLICY_CHECK_NOSLEEP(prison_check_remove, cred, pr, pr->pr_label);
MAC_CHECK_PROBE3(prison_check_remove, error, cred, pr, pr->pr_label);
return (error);
}
void
mac_prison_created(struct ucred *cred, struct prison *pr)
{
MAC_POLICY_PERFORM(prison_created, cred, pr, pr->pr_label);
}
void
mac_prison_attached(struct ucred *cred, struct prison *pr, struct proc *p)
{
MAC_POLICY_PERFORM(prison_attached, cred, pr, pr->pr_label, p,
p->p_label);
}