Bug 228454 - running acpiconf -s 4 in a jail as root sends the host to sleep
Summary: running acpiconf -s 4 in a jail as root sends the host to sleep
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 11.1-RELEASE
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-jail mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-24 08:06 UTC by Kurt Jaeger
Modified: 2018-05-24 16:53 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kurt Jaeger freebsd_committer 2018-05-24 08:06:21 UTC
acpiconf -s 4 in a jail sends the host to sleep -- this should not be possible from a jail.
Comment 1 Steve Wills freebsd_committer 2018-05-24 11:37:17 UTC
Can you show the contents of /dev/ inside the jail?
Comment 2 Kurt Jaeger freebsd_committer 2018-05-24 11:41:27 UTC
It's the same as the base host, except /var/log/.

So I guess it's time to add devfs_ruleset=4 to the jail start ?
Comment 3 Kurt Jaeger freebsd_committer 2018-05-24 11:41:42 UTC
ups, /dev/log, not /var/log
Comment 4 Steve Wills freebsd_committer 2018-05-24 11:57:19 UTC
(In reply to Kurt Jaeger from comment #3)
Yeah, I don't think this is a bug, merely a mis-configuration.
Comment 5 Conrad Meyer freebsd_committer 2018-05-24 15:07:41 UTC
(In reply to Steve Wills from comment #4)
Hm, seems like a bug to me.  Why should jail root ever be allowed to suspend the host?
Comment 6 Conrad Meyer freebsd_committer 2018-05-24 15:14:04 UTC
In fact, /dev/acpi (sys/dev/acpica/acpic.c acpiopen(), acpiioctl()) does not priv_check() at all!  Only validates that the user was able to open the device writable (i.e., Unix permissions, which are not sufficient for jailing root).
Comment 7 Miroslav Lachman 2018-05-24 15:22:35 UTC
(In reply to Conrad Meyer from comment #6)
Jails are not about user(s) (and never was). It's about devices in /dev/. Once you give a jail full /dev/ then users in jail can do whatever they like. Similar to host.
Comment 8 Conrad Meyer freebsd_committer 2018-05-24 15:26:54 UTC
(In reply to Miroslav Lachman from comment #7)
That is not true.  See priv_check_cred() / prison_priv_check().  Root in jails is constrained beyond root on host, even with /dev access.
Comment 9 Steve Wills freebsd_committer 2018-05-24 15:33:47 UTC
(In reply to Conrad Meyer from comment #8)
Then I guess once this bug is fixed, we need to remove the devfs rules for jails, since they won't be needed.
Comment 10 Conrad Meyer freebsd_committer 2018-05-24 16:11:40 UTC
(In reply to Steve Wills from comment #9)
Please don't be snarky :( -- we're all trying to make FreeBSD better.

No, priv_check does not obsolete devfs rulesets.  devfs rulesets are still necessary for configuring access at runtime, or per-jail configurations -- so not everything can be covered by {prison_,}priv_check.

That said, I don't see any legitimate need (or use) for a jail to be able to ACPI sleep the host.  Do you?  I think this is one that can be safely disabled for all jails via the {prison_,}priv_check mechanism.
Comment 11 Steve Wills freebsd_committer 2018-05-24 16:53:01 UTC
(In reply to Conrad Meyer from comment #10)
Sorry, I guess I misunderstood your comment.