From frank@pinky.sax.de  Fri Apr 22 10:47:52 2005
Return-Path: <frank@pinky.sax.de>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CC59516A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 22 Apr 2005 10:47:52 +0000 (GMT)
Received: from pinky.frank-behrens.de (pinky.frank-behrens.de [82.139.199.24])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B3FAD43D5C
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 22 Apr 2005 10:47:51 +0000 (GMT)
	(envelope-from frank@pinky.sax.de)
Received: from moon.behrens (localhost [127.0.0.1])
	by pinky.frank-behrens.de (8.13.3/8.13.3/FreeBSD 5.4-STABLE) with ESMTP id j3MAlke8094732
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 22 Apr 2005 12:47:46 +0200 (CEST)
	(envelope-from frank@moon.behrens)
Received: (from frank@localhost)
	by moon.behrens (8.13.3/8.13.3/Submit) id j3MAlk8X094731;
	Fri, 22 Apr 2005 12:47:46 +0200 (CEST)
	(envelope-from frank)
Message-Id: <200504221047.j3MAlk8X094731@moon.behrens>
Date: Fri, 22 Apr 2005 12:47:46 +0200 (CEST)
From: Frank Behrens <frank@pinky.sax.de>
Reply-To: Frank Behrens <frank@pinky.sax.de>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: jail(8) should be able to set kern.securelevel inside the prison
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         80242
>Category:       bin
>Synopsis:       [patch] jail(8) should be able to set kern.securelevel inside the prison
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    matteo
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Apr 22 10:50:18 GMT 2005
>Closed-Date:    Fri May 26 10:33:10 GMT 2006
>Last-Modified:  Fri May 26 10:33:10 GMT 2006
>Originator:     Frank Behrens
>Release:        FreeBSD 5.4-STABLE i386
>Organization:
>Environment:
System: FreeBSD moon.behrens 5.4-STABLE FreeBSD 5.4-STABLE #2: Tue Apr 12 10:41:41 CEST 2005 root@moon.behrens:/data2/sys/obj/usr/src/sys/FRANK01 i386
>Description:
jail(8) should be able to set kern.securelevel

As described in man jail(8) the kern.securelevel in a jail can raised independent
of host securelevel. If the jail is run with a user other than root
(option -u or -U) this user can not change the securelevel. Therefore
the securelevel must raised before the user is changed and this can
be done in jail(8) only.

jail(8) needs an option to be able to raise the securelevel in a jail
if the jail is run with a restricted user. A workaround would be
a suid executable inside the jail, but this is refused due to
security constraints.

>How-To-Repeat:
Start a jail with other user (option -u or -U) and try to raise
the securelevel in the jail without any suid executable.
>Fix:
The following patch implements the option to raise the
kern.securelevel inside a newly created jail.


--- jailseclevel.patch begins here ---
--- usr.sbin/jail/jail.8.orig	Sun Feb 27 16:40:16 2005
+++ usr.sbin/jail/jail.8	Thu Apr 21 10:43:33 2005
@@ -33,7 +33,7 @@
 .\"
 .\" $FreeBSD: src/usr.sbin/jail/jail.8,v 1.58.2.2 2005/02/27 15:40:16 brueffer Exp $
 .\"
-.Dd April 8, 2003
+.Dd April 21, 2005
 .Dt JAIL 8
 .Os
 .Sh NAME
@@ -42,6 +42,7 @@
 .Sh SYNOPSIS
 .Nm
 .Op Fl i
+.Op Fl s Ar securelevel
 .Op Fl l u Ar username | Fl U Ar username
 .Ar path hostname ip-number command ...
 .Sh DESCRIPTION
@@ -53,6 +54,8 @@
 .Bl -tag -width ".Fl u Ar username"
 .It Fl i
 Output the jail identifier of the newly created jail.
+.It Fl s Ar securelevel
+Sets "kern.securelevel" to the specified value inside the newly created jail.
 .It Fl l
 Run program in the clean environment.
 The environment is discarded except for
--- usr.sbin/jail/jail.c.orig	Sun Aug 15 10:21:50 2004
+++ usr.sbin/jail/jail.c	Thu Apr 21 10:39:00 2005
@@ -12,6 +12,7 @@
 
 #include <sys/param.h>
 #include <sys/jail.h>
+#include <sys/sysctl.h>
 
 #include <netinet/in.h>
 #include <arpa/inet.h>
@@ -28,6 +29,7 @@
 #include <unistd.h>
 
 static void	usage(void);
+static void	setsecurelevel (int level);
 extern char	**environ;
 
 #define GET_USER_INFO do {						\
@@ -57,15 +59,19 @@
 	char path[PATH_MAX], *username;
 	static char *cleanenv;
 	const char *shell, *p;
+	int securelevel = -1;
 
 	iflag = lflag = uflag = Uflag = 0;
 	username = cleanenv = NULL;
 
-	while ((ch = getopt(argc, argv, "ilu:U:")) != -1) {
+	while ((ch = getopt(argc, argv, "ils:u:U:")) != -1) {
 		switch (ch) {
 		case 'i':
 			iflag = 1;
 			break;
+		case 's':
+			securelevel = (int) strtol(optarg, NULL, 0);
+			break;
 		case 'u':
 			username = optarg;
 			uflag = 1;
@@ -109,6 +115,8 @@
 		printf("%d\n", i);
 		fflush(stdout);
 	}
+	if (securelevel > 0)
+		setsecurelevel(securelevel);
 	if (username != NULL) {
 		if (Uflag)
 			GET_USER_INFO;
@@ -148,7 +156,15 @@
 {
 
 	(void)fprintf(stderr, "%s%s\n",
-	     "usage: jail [-i] [-l -u username | -U username]",
+	     "usage: jail [-i] [-s securelevel] [-l -u username | -U username]",
 	     " path hostname ip-number command ...");
 	exit(1);
+}
+
+static void
+setsecurelevel (int level) {
+
+     if (sysctlbyname("kern.securelevel", NULL, 0, &level, sizeof(level)))
+	     err(1, "Can not set secure level to %d", level);
+
 }
--- jailseclevel.patch ends here ---


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->matteo 
Responsible-Changed-By: matteo 
Responsible-Changed-When: Mon Mar 20 19:08:37 UTC 2006 
Responsible-Changed-Why:  
Grab ownership. I'm interested in jails. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=80242 
State-Changed-From-To: open->patched 
State-Changed-By: matteo 
State-Changed-When: Thu May 11 13:04:58 UTC 2006 
State-Changed-Why:  
Patch committed to HEAD. I will MFC it in 2 weeks 

http://www.freebsd.org/cgi/query-pr.cgi?pr=80242 
State-Changed-From-To: patched->closed 
State-Changed-By: matteo 
State-Changed-When: Fri May 26 10:32:40 UTC 2006 
State-Changed-Why:  
Fixed and MFC'ed 

http://www.freebsd.org/cgi/query-pr.cgi?pr=80242 
>Unformatted:
