jail: add a couple of missing allow_XX parameters:

olevole · olevole · commit 95b4dd31c415 · 2025-03-29T14:49:18.000+03:00
allow_suser allow_extattr allow_adjtime allow_settime
diff --git a/etc/defaults/jail-freebsd-default.conf b/etc/defaults/jail-freebsd-default.conf
@@ -135,9 +135,6 @@ allow_read_msgbuf="0"
 # Jail may access vmm(4)
 allow_vmm="0"
 
-# Unprivileged processes in the jail may use debugging facilities
-allow_unprivileged_proc_debug="1"
-
 # default nice
 rctl_nice="1"
 
@@ -183,6 +180,34 @@ allow_mlock="0"
 # the rc.conf(5) file outside of the jails.
 allow_nfsd="0"
 
+# The jail root may bind to ports lower than 1024.
+allow_reserved_ports=1
+
+# Unprivileged processes in the jail may use debugging
+# facilities.
+allow_unprivileged_proc_debug=1
+
+# The value of the jail's security.bsd.suser_enabled
+# sysctl.  The super-user will be disabled automatically if
+# its parent system has it disabled.  The super-user is
+# enabled by default.
+allow_suser=1
+
+# Allow privileged process in the jail to manipulate
+# filesystem extended attributes in the system namespace.
+allow_extattr=1
+
+# Allow privileged process in the jail to slowly adjusting
+# global operating system time.  For example through
+# utilities like ntpd(8).
+allow_adjtime=0
+
+# Allow privileged process in the jail to set global
+# operating system data and time.  For example through
+# utilities like date(1).  This permission includes also
+# allow_adjtime.
+allow_settime=0
+
 # enable etcupdate_bootstrap ?
 etcupdate_init="1"
 # Global cloud-init helper params for vm
diff --git a/jailctl/jconfig b/jailctl/jconfig
@@ -74,10 +74,10 @@ if [ -z "${cmd}" ]; then
 	myargs="allow_devfs allow_dying allow_fusefs allow_linprocfs allow_linsysfs allow_kmem allow_mount allow_nullfs allow_procfs allow_raw_sockets allow_reserved_ports \
 	allow_tmpfs allow_zfs allow_mlock allow_nfsd applytpl arch astart basename baserw childrenmax cpuset devfs_ruleset enforce_statfs exec_consolelog exec_fib exec_start exec_stop \
 	exec_timeout floatresolv hidden host_hostname interface ip4_addr jdomain mkhostsfile mount_devfs mount_fdescfs mount_procfs mount_linprocfs mount_linsysfs mount_kernel \
-	mount_ports mount_src persist protected stop_timeout sysvmsg sysvsem sysvshm ver vnet ci_gw4 mnt_start mnt_stop boot_delay jnameserver"
+	mount_ports mount_src persist protected stop_timeout sysvmsg sysvsem sysvshm ver vnet ci_gw4 mnt_start mnt_stop boot_delay jnameserver allow_read_msgbuf allow_vmm allow_unprivileged_proc_debug"
 
-	# allow_read_msgbuf for FreeBSD 12.0+
-	[ ${freebsdhostversion} -gt 1200085 ] && myargs="${myargs} allow_read_msgbuf allow_vmm allow_unprivileged_proc_debug"
+	# FreeBSD 14.2+
+	[ ${freebsdhostversion} -ge 1402000 ] && myargs="${myargs} allow_suser allow_extattr allow_adjtime allow_settime"
 
 	sorted_myargs=$( for i in ${myargs}; do
 		echo ${i}
diff --git a/jailctl/jset b/jailctl/jset
@@ -451,6 +451,49 @@ modify_allow_nfsd()
 	${ECHO} "${argpart}: ${N1_COLOR}${allow_nfsd}${N0_COLOR}"
 }
 
+# jid must be set
+modify_allow_reserved_ports()
+{
+	cbsdsqlrw local "UPDATE jails SET ${i}=\"${allow_reserved_ports}\" WHERE jname=\"${jname}\""
+	${JAIL_CMD} -m allow_reserved_ports=${allow_reserved_ports} jid=${jid}
+	${ECHO} "${argpart}: ${N1_COLOR}${allow_reserved_ports}${N0_COLOR}"
+}
+# jid must be set
+modify_allow_unprivileged_proc_debug()
+{
+	cbsdsqlrw local "UPDATE jails SET ${i}='${allow_unprivileged_proc_debug}' WHERE jname=\"${jname}\""
+	${JAIL_CMD} -m allow_unprivileged_proc_debug=${allow_unprivileged_proc_debug} jid=${jid}
+	${ECHO} "${argpart}: ${N1_COLOR}${allow_unprivileged_proc_debug}${N0_COLOR}"
+}
+# jid must be set
+modify_allow_suser()
+{
+	cbsdsqlrw local "UPDATE jails SET ${i}='${allow_suser}' WHERE jname=\"${jname}\""
+	${JAIL_CMD} -m allow_suser=${allow_suser} jid=${jid}
+	${ECHO} "${argpart}: ${N1_COLOR}${allow_suser}${N0_COLOR}"
+}
+# jid must be set
+modify_allow_extattr()
+{
+	cbsdsqlrw local "UPDATE jails SET ${i}='${allow_extattr}' WHERE jname=\"${jname}\""
+	${JAIL_CMD} -m allow_extattr=${allow_extattr} jid=${jid}
+	${ECHO} "${argpart}: ${N1_COLOR}${allow_extattr}${N0_COLOR}"
+}
+# jid must be set
+modify_allow_adjtime()
+{
+	cbsdsqlrw local "UPDATE jails SET ${i}='${allow_adjtime}' WHERE jname=\"${jname}\""
+	${JAIL_CMD} -m allow_adjtime=${allow_adjtime} jid=${jid}
+	${ECHO} "${argpart}: ${N1_COLOR}${allow_adjtime}${N0_COLOR}"
+}
+# jid must be set
+modify_allow_settime()
+{
+	cbsdsqlrw local "UPDATE jails SET ${i}='${allow_settime}' WHERE jname=\"${jname}\""
+	${JAIL_CMD} -m allow_settime=${allow_settime} jid=${jid}
+	${ECHO} "${argpart}: ${N1_COLOR}${allow_settime}${N0_COLOR}"
+}
+
 # jid must be set
 modify_host_hostname()
 {
@@ -1131,6 +1174,30 @@ for n in ${my_arg}; do
 						cbsdlogger NOTICE ${CBSD_APP}: modify_nfsd for ${jname}
 						modify_allow_nfsd
 						;;
+					allow_reserved_ports)
+						cbsdlogger NOTICE ${CBSD_APP}: allow_reserved_ports for ${jname}
+						modify_allow_reserved_ports
+						;;
+					allow_unprivileged_proc_debug)
+						cbsdlogger NOTICE ${CBSD_APP}: allow_unprivileged_proc_debug for ${jname}
+						modify_allow_unprivileged_proc_debug
+						;;
+					allow_suser)
+						cbsdlogger NOTICE ${CBSD_APP}: allow_suser for ${jname}
+						modify_allow_suser
+						;;
+					allow_extattr)
+						cbsdlogger NOTICE ${CBSD_APP}: allow_extattr for ${jname}
+						modify_allow_extattr
+						;;
+					allow_adjtime)
+						cbsdlogger NOTICE ${CBSD_APP}: allow_adjtime for ${jname}
+						modify_allow_adjtime
+						;;
+					allow_settime)
+						cbsdlogger NOTICE ${CBSD_APP}: allow_settime for ${jname}
+						modify_allow_settime
+						;;
 					allow_procfs)
 						cbsdlogger NOTICE ${CBSD_APP}: modify_allow_procfs
 						modify_allow_procfs
diff --git a/jailctl/jsetup-tui b/jailctl/jsetup-tui
@@ -69,7 +69,7 @@ shift #skip for jname
 
 if [ ${jid} -ne 0 ]; then
 	# Command for modifying on-the fly here:
-	JARG="ip4_addr cpuset astart exec_consolelog mount_src mount_ports mount_kernel allow_mount allow_nullfs allow_fusefs allow_linsysfs allow_linprocfs allow_tmpfs allow_mlock allow_nfsd allow_procfs devfs_ruleset jdomain b_order applytpl protected hidden allow_raw_sockets allow_read_msgbuf allow_vmm sysvsem sysvshm sysvmsg boot_delay jnameserver"
+	JARG="ip4_addr cpuset astart exec_consolelog mount_src mount_ports mount_kernel allow_mount allow_nullfs allow_fusefs allow_linsysfs allow_linprocfs allow_tmpfs allow_mlock allow_nfsd allow_procfs devfs_ruleset jdomain b_order applytpl protected hidden allow_raw_sockets allow_read_msgbuf allow_vmm sysvsem sysvshm sysvmsg boot_delay jnameserver allow_reserved_ports allow_unprivileged_proc_debug allow_suser allow_extattr allow_adjtime allow_settime"
 else
 	JARG="$*"
 fi
@@ -124,7 +124,7 @@ while true; do
 			invert_checkbox ${mychoice}
 			continue
 			;;
-		allow_tmpfs|allow_zfs|allow_kmem|mount_kernel|mount_obj|allow_read_msgbuf|allow_vmm|allow_mlock|allow_nfsd)
+		allow_tmpfs|allow_zfs|allow_kmem|mount_kernel|mount_obj|allow_read_msgbuf|allow_vmm|allow_mlock|allow_nfsd|allow_suser|allow_extattr|allow_adjtime|allow_settime)
 			invert_checkbox ${mychoice}
 			continue
 			;;
diff --git a/share/jail-arg b/share/jail-arg
@@ -88,6 +88,10 @@ gid \
 tags \
 zfs_encryption \
 boot_delay \
+allow_suser \
+allow_extattr \
+allow_adjtime \
+allow_settime \
 "
 
 ###
diff --git a/share/local-jails.schema b/share/local-jails.schema
@@ -7,7 +7,7 @@ exec_master_prestop status exec_timeout exec_fib stop_timeout mount_fdescfs allo
 emulator_flags allow_kmem exec_consolelog jdomain b_order allow_fdescfs allow_sysvipc protected hidden maintenance name allow_reserved_ports \
 childrenmax persist enforce_statfs state_time allow_raw_sockets allow_fusefs allow_linprocfs allow_linsysfs allow_read_msgbuf allow_vmm \
 allow_unprivileged_proc_debug sysvsem sysvshm sysvmsg mnt_start mnt_stop allow_mlock mount_procfs mount_linprocfs mount_linsysfs gid tags \
-ci_gw4 zfs_encryption boot_delay allow_nfsd jnameserver"
+ci_gw4 zfs_encryption boot_delay allow_nfsd jnameserver allow_suser allow_extattr allow_adjtime allow_settime"
 
 jname="text default 0 unique PRIMARY KEY"
 jid="integer default 0"
@@ -107,6 +107,11 @@ mnt_stop="text default 0"
 allow_mlock="integer default 0"
 allow_nfsd="integer default 0"
 
+allow_suser="boolean default 1"
+allow_extattr="boolean default 1"
+allow_adjtime="boolean default 0"
+allow_settime="boolean default 0"
+
 # global identifier in the cluster,
 # reserved for top-level management
 gid="UNSIGNED INTEGER DEFAULT 0"
diff --git a/subr/jsetup-tui.subr b/subr/jsetup-tui.subr
@@ -62,7 +62,7 @@ dialog_menu_main()
 		allow_nullfs allow_fdescfs allow_procfs allow_raw_sockets allow_read_msgbuf allow_reserved_ports allow_sysvipc \
 		allow_tmpfs allow_unprivileged_proc_debug allow_vmm allow_zfs applytpl astart floatresolv hidden mkhostsfile \
 		mount_devfs mount_fdescfs mount_procfs mount_linprocfs mount_linsysfs mount_fstab mount_kernel mount_obj \
-		mount_ports mount_src persist protected vnet allow_mlock allow_nfsd baserw"
+		mount_ports mount_src persist protected vnet allow_mlock allow_nfsd baserw allow_suser allow_extattr allow_adjtime allow_settime"
 
 	f_dialog_info "scan and build menu entry..."
 
diff --git a/subr/settings-tui-jail.subr b/subr/settings-tui-jail.subr
@@ -17,7 +17,11 @@ allow_nullfs_msg="Allow privileged users inside the jail mount and unmount NULLF
 allow_procfs_msg="Allow privileged users inside the jail mount and unmount PROCFS file system"
 allow_raw_sockets_msg="The jail root is allowed to create raw sockets"
 allow_read_msgbuf_msg="Allow an unprivileged user to read the kernel message buffer"
-allow_reserved_ports_msg="Allow the jail root may bind to ports lower than 1024. For FreeBSD 11.1+"
+allow_reserved_ports_msg="The jail root may bind to ports lower than 1024"
+allow_suser_msg="The value of the jail's security.bsd.suser_enabled sysctl.  The super-user will be disabled automatically if its parent system has it disabled.  The super-user is enabled by default"
+allow_extattr_msg="Allow privileged process in the jail to manipulate filesystem extended attributes in the system namespace"
+allow_adjtime_msg="Allow privileged process in the jail to slowly adjusting global operating system time.  For example through utilities like ntpd(8)"
+allow_settime_msg="Allow privileged process in the jail to set global operating system data and time.  For example through utilities like date(1).  This permission includes also allow.adjtime"
 sysvsem_msg="Controls access to SYSV semaphores"
 sysvshm_msg="Controls access to shared memory"
 sysvmsg_msg="Controls access to SYSV message queues"
@@ -778,10 +782,10 @@ get_construct_jail_options_menu()
 			_checkbox="${get_construct_jail_options_menu_checkbox}"
 		else
 			# default checkbox list
-			_checkbox="allow_devfs allow_dying allow_fusefs allow_linprocfs allow_linsysfs allow_kmem allow_mount \
-			allow_nullfs allow_fdescfs allow_procfs allow_raw_sockets allow_read_msgbuf allow_reserved_ports allow_sysvipc \
-			allow_tmpfs allow_unprivileged_proc_debug allow_vmm allow_zfs mount_devfs mount_fdescfs mount_procfs mount_linprocfs \
-			mount_linsysfs mount_fstab mount_kernel mount_obj mount_ports mount_src persist allow_mlock allow_nfsd"
+			_checkbox="allow_devfs allow_dying allow_fusefs allow_linprocfs allow_linsysfs allow_kmem allow_mount allow_nullfs allow_fdescfs \
+			allow_procfs allow_raw_sockets allow_read_msgbuf allow_reserved_ports allow_sysvipc allow_tmpfs allow_unprivileged_proc_debug allow_vmm \
+			allow_zfs mount_devfs mount_fdescfs mount_procfs mount_linprocfs mount_linsysfs mount_fstab mount_kernel mount_obj mount_ports \
+			mount_src persist allow_mlock allow_nfsd allow_suser allow_extattr allow_adjtime allow_settime"
 		fi
 	fi
 
@@ -999,6 +1003,11 @@ with_img_helpers="";
 allow_reserved_ports="${allow_reserved_ports}";
 allow_unprivileged_proc_debug="${allow_unprivileged_proc_debug}";
 
+allow_suser="${allow_suser}";
+allow_extattr="${allow_extattr}";
+allow_adjtime="${allow_adjtime}";
+allow_settime="${allow_settime}";
+
 persist="${persist}";
 childrenmax="${childrenmax}";
 enforce_statfs="${enforce_statfs}";
diff --git a/tools/makejconf b/tools/makejconf
@@ -339,24 +339,46 @@ if [ "${allow_mount}" = "1" ]; then
 	fi
 fi
 
-# this feature available for FreeBSD 12.0+
-if [ ${freebsdhostversion} -gt 1200043 ]; then
-	if [ "${allow_reserved_ports}" = "1" ]; then
-		echo "allow.reserved_ports = \"true\";" >> ${out}
+# this feature available for FreeBSD 14.2+
+if [ ${freebsdhostversion} -gt 1402000 ]; then
+	if [ "${allow_suser}" = "1" ]; then
+		echo "allow.suser = \"1\";" >> ${out}
 	else
-		echo "allow.reserved_ports = \"false\";" >> ${out}
+		echo "allow.suser = \"0\";" >> ${out}
+	fi
+
+	if [ "${allow_extattr}" = "1" ]; then
+		echo "allow.extattr = \"1\";" >> ${out}
+	else
+		echo "allow.extattr = \"0\";" >> ${out}
+	fi
+
+	if [ "${allow_adjtime}" = "1" ]; then
+		echo "allow.adjtime = \"1\";" >> ${out}
+	else
+		echo "allow.adjtime = \"0\";" >> ${out}
 	fi
-fi
 
-# this feature available for FreeBSD 12.0+
-if [ ${freebsdhostversion} -gt 1200043 ]; then
-	if [ "${allow_mlock}" = "1" ]; then
-		echo "allow.mlock = \"1\";" >> ${out}
+	if [ "${allow_settime}" = "1" ]; then
+		echo "allow.settime = \"1\";" >> ${out}
 	else
-		echo "allow.mlock = \"0\";" >> ${out}
+		echo "allow.settime = \"0\";" >> ${out}
 	fi
 fi
 
+
+if [ "${allow_reserved_ports}" = "1" ]; then
+	echo "allow.reserved_ports = \"true\";" >> ${out}
+else
+	echo "allow.reserved_ports = \"false\";" >> ${out}
+fi
+
+if [ "${allow_mlock}" = "1" ]; then
+	echo "allow.mlock = \"1\";" >> ${out}
+else
+	echo "allow.mlock = \"0\";" >> ${out}
+fi
+
 # allow.nfsd
 nfs_feat=$( ${SYSCTL_CMD} -qn kern.features.nfsd 2>/dev/null )
 if [ "${nfs_feat}" = "1" ]; then
diff --git a/upgrade/pre-patch-14.2.6.0 b/upgrade/pre-patch-14.2.6.0
@@ -0,0 +1,40 @@
+#!/bin/sh
+#v12.1.3
+# Update jails for allow_suser, allow_extattr, allow_adjtime, allow_settime
+: ${distdir="/usr/local/cbsd"}
+[ ! -r "${distdir}/subr/cbsdbootstrap.subr" ] && exit 1
+. ${distdir}/subr/cbsdbootstrap.subr || exit 1
+test_sql_stuff
+
+[ ! -h "${dbdir}/local.sqlite" ] && exit 0
+
+mydb="${dbdir}/local.sqlite"
+
+unset _test _count
+_count=$( ${miscdir}/sqlcli ${mydb} 'SELECT COUNT(jname) FROM jails WHERE emulator="jail"' )
+[ "${_count}" = "0" ] && exit 0	# no jails here
+_test=$( ${miscdir}/sqlcli ${mydb} "SELECT allow_suser FROM jails LIMIT 1" )
+if [ -z "${_test}" ]; then
+	${ECHO} "  * ${N1_COLOR}Update jails tables: add allow_suser${N0_COLOR}"
+	${miscdir}/sqlcli ${mydb} "ALTER TABLE jails ADD COLUMN allow_suser integer default '1'"
+fi
+
+_test=$( ${miscdir}/sqlcli ${mydb} "SELECT allow_extattr FROM jails LIMIT 1" )
+if [ -z "${_test}" ]; then
+	${ECHO} "  * ${N1_COLOR}Update jails tables: add allow_extattr${N0_COLOR}"
+	${miscdir}/sqlcli ${mydb} "ALTER TABLE jails ADD COLUMN allow_extattr integer default '1'"
+fi
+
+_test=$( ${miscdir}/sqlcli ${mydb} "SELECT allow_adjtime FROM jails LIMIT 1" )
+if [ -z "${_test}" ]; then
+	${ECHO} "  * ${N1_COLOR}Update jails tables: add allow_adjtime${N0_COLOR}"
+	${miscdir}/sqlcli ${mydb} "ALTER TABLE jails ADD COLUMN allow_adjtime integer default '0'"
+fi
+
+_test=$( ${miscdir}/sqlcli ${mydb} "SELECT allow_settime FROM jails LIMIT 1" )
+if [ -z "${_test}" ]; then
+	${ECHO} "  * ${N1_COLOR}Update jails tables: add allow_settime${N0_COLOR}"
+	${miscdir}/sqlcli ${mydb} "ALTER TABLE jails ADD COLUMN allow_settime integer default '0'"
+fi
+
+exit 0
