jail: document the mac.label parameter
In particular, we should provide a hint about mac.conf(5), since libjail
will just use the mac_prepare_type(3) API to provide a reasonably sane
interface for system administrators. Progammers wanting to fetch an
arbitrary MAC label would need to bypass libjail and use jail_get(2)
directly with their own prepared `struct mac`.
Differential Revision: https://reviews.freebsd.org/D54067
libjail: extend struct handlers to included MAC labels
MAC label handling is a little special; to avoid being too disruptive,
we allocate a `mac_t *` here for the value so that we can mac_prepare()
or mac_from_text() into. As a result, we need:
- A custom free() handler to avoid leaking the *jp_value
- A custom jailparam_get() handler to mac_prepare() the mac_t and
populate the iove properly, so that the kernel doesn't have to
do something funky like copyin, dereference, copyin again.
- A custom jailparam_set() handler to similarly populate the iovec
properly.
Reviewed by: jamie
Differential Revision: https://reviews.freebsd.org/D53960
libjail: start refactoring struct ioctl support
Instead of ad-hoc comparisons against the struct type in a few places,
start to abstract out an interface for dealing with struct types. For
now, this just means that we have some special jailparam_import and
jailparam_export handling for the ip addr types, but in the next commit
we'll extend it further to support MAC labels.
Reviewed by: jamie
Differential Revision: https://reviews.freebsd.org/D53959
kern: add a mac.label jail parameter
Have it take a `struct mac` and we'll paper over the difference for
jail(8)/jls(8) in libjail(3). The mac_syscalls.h model is taken from
mac_set_proc_*() that were previously done.
Reviewed by: olce
Differential Revision: https://reviews.freebsd.org/D53958
mac: add macros for 5-argument SDT probes
A last-minute change to the jail MAC entry points in D53954 is going to
pass the jail_[gs]et(2) flags to mac_prison_check_[gs]et() so that a
policy can, e.g., reject or allow a change if the intent is to
immediately attach, or disallow some fetching of dying jails.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D54658
kern: mac: pull mac_label_copyin_string out
A future commit to the area will further our jail integration and add
a use for this: the struct mac itself was already copied in as part of
vfs_buildopts(), so we only need to copyin the strings.
We add an explicit flag argument because the jail operation will need to
do it while holding the prison lock.
Reviewed by: olce
Differential Revision: https://reviews.freebsd.org/D53957
mac_set_fd(3): add support for jail descriptors
We'll still add an old-fashioned jail param to configure jail MAC
labels, but for testing it's really easy to grab a jaildesc and use
that.
Reviewed by: jamie, olce
Differential Revision: https://reviews.freebsd.org/D53956
jaildesc: add an accessor for the struct prison in a jaildesc
We'll subsequently use this in the MAC framework to get a struct prison
when we already have the struct file in question, rather than an fd.
Reviewed by: jamie, olce
Differential Revision: https://reviews.freebsd.org/D53955
kern: mac: add various jail MAC hooks
This adds the following hooks:
- mpo_prison_check_attach: check for subject capability to attach to
a given jail
- mpo_prison_check_create: check for subject capability to create a
jail with the given option set
- mpo_prison_check_get: check for subject capability to fetch the
given parameters for a jail
- mpo_prison_check_set: check for subject capability to set the
given parameters for a jail
- mpo_prison_check_remove: check for subject capability to remove the
jail
check_get wouldn't typically be a privileged operation, but is included
to give MAC policies a wider range of capabilities at a relatively low
cost. We also add two more for the purpose of label propagation:
- mpo_prison_created: surface the creation of a jail so that one can
do propagation to, e.g., the root vnode or any mounts
[28 lines not shown]
nfsd: Fix handling of attributes during Open/Create/Exclusive_41
When an NFSv4.n client specifies settings for attributes other
mode during a Open/Create/Exclusive_41, these other attributes
were not being set.
This patch resolves the problem by calling nfsrv_fixsattr()
after the VOP_CREATE() call in nfsvno_open() for this case.
There is no extant NFSv4.n client that currently does this,
as far as I know.
MFC after: 2 weeks
linux: on vnet detach call clean_unrhdr(9) always
The assumption was incorrect, and the current VIMAGE implementation leaves
a possibility for some interfaces still exist in a jail that is going
away.
Fixes: 607f11055d2d421770963162a4d9a99cdd136152
libarchive: merge from vendor branch
libarchive 3.8.3
Important bugfixes:
#2753 lib: Create temporary files in the target directory
#2768 lha: Fix for an out-of-bounds buffer overrun when using
p[H_LEVEL_OFFSET]
#2769 7-zip: Fix a buffer overrun when reading truncated 7zip headers
#2771 lz4 and zstd: Support both lz4 and zstd data with leading
skippable frames
Obtained from: libarchive
Vendor commit: 1368b08875351df8aa268237b882c8f4ceb0882d
MFC after: 1 week
(cherry picked from commit 007679a138089676aadc9a712277f4004403b905)
libarchive: merge from vendor branch
libarchive 3.8.3
Important bugfixes:
#2753 lib: Create temporary files in the target directory
#2768 lha: Fix for an out-of-bounds buffer overrun when using
p[H_LEVEL_OFFSET]
#2769 7-zip: Fix a buffer overrun when reading truncated 7zip headers
#2771 lz4 and zstd: Support both lz4 and zstd data with leading
skippable frames
Obtained from: libarchive
Vendor commit: 1368b08875351df8aa268237b882c8f4ceb0882d
MFC after: 1 week
(cherry picked from commit 007679a138089676aadc9a712277f4004403b905)
libarchive: merge from vendor branch
libarchive 3.8.3
Important bugfixes:
#2753 lib: Create temporary files in the target directory
#2768 lha: Fix for an out-of-bounds buffer overrun when using
p[H_LEVEL_OFFSET]
#2769 7-zip: Fix a buffer overrun when reading truncated 7zip headers
#2771 lz4 and zstd: Support both lz4 and zstd data with leading
skippable frames
Obtained from: libarchive
Vendor commit: 1368b08875351df8aa268237b882c8f4ceb0882d
MFC after: 1 week
(cherry picked from commit 007679a138089676aadc9a712277f4004403b905)
makefs: tests: Fix timestamp-related tests
Use a variable for mtree that includes the DEFAULT_MTREE_KEYWORDS, in
order to avoid missing the important "time" keyword or passing an
unimplemented "nlink" keyword.
Unskip the "failing" tests, and comment out the specific failing checks,
these will be addressed (or at least discussed) in a different revision.
For MS-DOS tests, use an even value timestamp, as precision is 2s.
For ZFS tests, use import_image instead of mount_image consistently.
Reviewed by: bnovkov, markj
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D54429
(cherry picked from commit 93b15dbc1fbc3c33c9bd53091b28c3b629d0abe1)
makefs: tests: Fix -D flag test
As stated in the manual page:
-F is almost certainly not the option you are looking for. To
create an image from a list of files in an mtree format manifest,
specify it as the last argument on the command line, not as the
argument to -F.
This change does exactly that. Also bug #192839 has already been fixed.
Reviewed by: ngie
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D54428
(cherry picked from commit 96efda9cd55689ef3fa067281d8b0a42a7122536)
