diff --git libexec/rc/rc.subr libexec/rc/rc.subr index df91737566d5..5e61715c8b72 100644 --- libexec/rc/rc.subr +++ libexec/rc/rc.subr @@ -1271,7 +1271,8 @@ $command $rc_flags $command_args" start) # We cannot use protect(1) inside jails. if [ -n "$_oomprotect" ] && [ -f "${PROTECT}" ] && - [ "$(sysctl -n security.jail.jailed)" -eq 0 ]; then + [ "$(sysctl -n security.jail.jailed)" -eq 0 -o \ + "$(sysctl -n security.jail.allow_protect)" -eq 1 ]; then [ -z "${rc_pid}" ] && eval $_pidcmd case $_oomprotect in [Aa][Ll][Ll]) diff --git sys/kern/kern_jail.c sys/kern/kern_jail.c index a815f423dbad..ff71f3e6484f 100644 --- sys/kern/kern_jail.c +++ sys/kern/kern_jail.c @@ -207,6 +207,7 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = { {"allow.quotas", "allow.noquotas", PR_ALLOW_QUOTAS}, {"allow.socket_af", "allow.nosocket_af", PR_ALLOW_SOCKET_AF}, {"allow.mlock", "allow.nomlock", PR_ALLOW_MLOCK}, + {"allow.protect", "allow.noprotect", PR_ALLOW_MADV_PROTECT}, {"allow.reserved_ports", "allow.noreserved_ports", PR_ALLOW_RESERVED_PORTS}, {"allow.read_msgbuf", "allow.noread_msgbuf", PR_ALLOW_READ_MSGBUF}, @@ -3693,6 +3694,15 @@ prison_priv_check(struct ucred *cred, int priv) else return (EPERM); + /* + * Conditionnaly allow protecting processes. + */ + case PRIV_VM_MADV_PROTECT: + if (cred->cr_prison->pr_allow & PR_ALLOW_MADV_PROTECT) + return (0); + else + return (EPERM); + /* * Conditionally allow jailed root to bind reserved ports. */ @@ -4012,6 +4022,10 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mount_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I", "Processes in jail can mount/unmount jail-friendly file systems (deprecated)"); +SYSCTL_PROC(_security_jail, OID_AUTO, allow_protect, + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, + NULL, PR_ALLOW_MADV_PROTECT, sysctl_jail_default_allow, "I", + "Jail may use madvise(MADV_PROTECT) and protect(1) processes (deprecated)"); static int sysctl_jail_default_level(SYSCTL_HANDLER_ARGS) @@ -4168,6 +4182,8 @@ SYSCTL_JAIL_PARAM(_allow, unprivileged_proc_debug, CTLTYPE_INT | CTLFLAG_RW, "B", "Unprivileged processes may use process debugging facilities"); SYSCTL_JAIL_PARAM(_allow, suser, CTLTYPE_INT | CTLFLAG_RW, "B", "Processes in jail with uid 0 have privilege"); +SYSCTL_JAIL_PARAM(_allow, protect, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may use madvise(MADV_PROTECT) and protect(1) processes"); SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, diff --git sys/sys/jail.h sys/sys/jail.h index b0183d404352..8b13e24867d8 100644 --- sys/sys/jail.h +++ sys/sys/jail.h @@ -247,7 +247,8 @@ struct prison_racct { #define PR_ALLOW_SUSER 0x00000400 #define PR_ALLOW_RESERVED_PORTS 0x00008000 #define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */ -#define PR_ALLOW_ALL_STATIC 0x000187ff +#define PR_ALLOW_MADV_PROTECT 0x00020000 +#define PR_ALLOW_ALL_STATIC 0x000287ff /* * PR_ALLOW_DIFFERENCES determines which flags are able to be diff --git usr.sbin/jail/jail.8 usr.sbin/jail/jail.8 index 61fe91cf973e..0168b5c89d2e 100644 --- usr.sbin/jail/jail.8 +++ usr.sbin/jail/jail.8 @@ -583,6 +583,19 @@ or memory subject to .Va security.bsd.unprivileged_mlock and resource limits. +.It Va allow.protect +Setting process protection state is normally not available +within a jail. +When this parameter is set, users may +.Xr procctl 2 +or +.Xr protect 1 +on processes, +or +.Xr madvise 2 +with flag +.Sy MADV_PROTECT +on memory. .It Va allow.reserved_ports The jail root may bind to ports lower than 1024. .It Va allow.unprivileged_proc_debug