From nobody Tue Apr 22 12:50:22 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Zhhsz1z4jz5sZy7 for ; Tue, 22 Apr 2025 12:50:31 +0000 (UTC) (envelope-from freebsdlists@bsdunix.ch) Received: from mail-4323.protonmail.ch (mail-4323.protonmail.ch [185.70.43.23]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "protonmail.com", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Zhhsw3mMLz3wjs for ; Tue, 22 Apr 2025 12:50:28 +0000 (UTC) (envelope-from freebsdlists@bsdunix.ch) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=bsdunix.ch header.s=protonmail2 header.b=5HbrxRC+; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsdlists@bsdunix.ch designates 185.70.43.23 as permitted sender) smtp.mailfrom=freebsdlists@bsdunix.ch DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdunix.ch; s=protonmail2; t=1745326225; x=1745585425; bh=spp1YTFmVUvivdez+ep1MM8oyjXaD/PjuwrGIT7Jnbg=; h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector: List-Unsubscribe:List-Unsubscribe-Post; b=5HbrxRC+EdHyDpHSrTaKlQ+rAlFkaCXkh2NkVdwbQzEz9upwLf/o659WAEck3RhFA /KQEDwCBUpIkNlwlHuFhyRtAStXEjn5iUQ55cWw56vmiYtSTRFkmE0wGh1TKbFcaKw 3/UvwVmhXRNgiDSQ9DbcdPJ6JO3D3T9jiM97cPGGihjxFx6svyI8xPyJH/GJahL7UY e86C83eUHfSZQCFMGNUz2XCVAEkiQxvcspswwt7pyIMfXJcqeDL/9D8YHaG7Pfp3T4 9dnXhjJZeu93A1TuBKsr0HMIw4Jga9bmO2SY+vDbLdubw+omM0VpvbMcqXLj7dUoM0 n7AwYJc8jUfUA== Date: Tue, 22 Apr 2025 12:50:22 +0000 To: freebsd-security@freebsd.org From: freebsdlists Subject: Status of mac_portacl Support in Jails? Message-ID: Feedback-ID: 62840563:user:proton X-Pm-Message-ID: 75ca9ce1c8ecf38e5bc5f898a1c9718031746e05 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha512; boundary="------5738b5901f881bf22affcaeb59e63406f738b69a9a587bcc03565452c89cf1d0"; charset=utf-8 X-Spamd-Result: default: False [-4.36 / 15.00]; SIGNED_PGP(-2.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; RBL_SENDERSCORE_REPUT_9(-1.00)[185.70.43.23:from]; MIME_BASE64_TEXT_BOGUS(1.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.993]; NEURAL_HAM_LONG(-0.99)[-0.987]; NEURAL_HAM_SHORT(-0.98)[-0.985]; R_DKIM_ALLOW(-0.20)[bsdunix.ch:s=protonmail2]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,multipart/alternative,text/plain,multipart/related]; R_SPF_ALLOW(-0.20)[+ip4:185.70.43.0/24]; MIME_BASE64_TEXT(0.10)[]; MIME_UNKNOWN(0.10)[application/pgp-keys]; HAS_ATTACHMENT(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_NA(0.00)[bsdunix.ch: no valid DMARC record]; RCPT_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]; DKIM_TRACE(0.00)[bsdunix.ch:+]; FROM_HAS_DN(0.00)[]; ASN(0.00)[asn:62371, ipnet:185.70.43.0/24, country:CH]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MISSING_XM_UA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RCVD_COUNT_ZERO(0.00)[0]; MID_RHS_MATCH_FROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:+,4:+,5:~,6:~,7:~]; RCVD_IN_DNSWL_NONE(0.00)[185.70.43.23:from] X-Rspamd-Queue-Id: 4Zhhsw3mMLz3wjs X-Spamd-Bar: ---- This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------5738b5901f881bf22affcaeb59e63406f738b69a9a587bcc03565452c89cf1d0 Content-Type: multipart/mixed;boundary=---------------------0c13ed264b97aec94e24cf1da8c07e03 -----------------------0c13ed264b97aec94e24cf1da8c07e03 Content-Type: multipart/alternative;boundary=---------------------478d220950a9cfd2642591e5fdf56a92 -----------------------478d220950a9cfd2642591e5fdf56a92 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain;charset=utf-8 Hello, I recently came across an old thread from 2005 where Pawel Jakub Dawidek p= ublished a patch to enable the use of mac_portacl=C2=A0within jails: https://lists.freebsd.org/pipermail/freebsd-security/2005-May/002961.html In the same thread, it was mentioned that Samy Al Bahra had a more flexibl= e patch for this purpose.=C2=A0 I was wondering - what became of this effort? Was any version of this ever= integrated into the FreeBSD source tree or made available through another= channel? Even 20 years later, this functionality would still be highly us= eful. For example, the Caddy web server - which by default runs as root- c= ould benefit from mac_portacl=C2=A0when running in a jail. Any information or pointers would be greatly appreciated. Regards, Tom -----------------------478d220950a9cfd2642591e5fdf56a92 Content-Type: multipart/related;boundary=---------------------2493bcf4f0cda37bd537afd03159324c -----------------------2493bcf4f0cda37bd537afd03159324c Content-Type: text/html;charset=utf-8 Content-Transfer-Encoding: base64 PGRpdiBzdHlsZT0iZm9udC1zaXplOiAxNHB4OyI+PHAgZGF0YS1zdGFydD0iMjAwIiBkYXRhLWVu ZD0iMjI3IiBzdHlsZT0iZm9udC1mYW1pbHk6IEFyaWFsLCBzYW5zLXNlcmlmOyI+SGVsbG8sPC9w PjxwIGRhdGEtc3RhcnQ9IjIyOSIgZGF0YS1lbmQ9IjQ0NCIgc3R5bGU9IiI+PGZvbnQgZmFjZT0i QXJpYWwsIHNhbnMtc2VyaWYiPkkgcmVjZW50bHkgY2FtZSBhY3Jvc3MgYW4gb2xkIHRocmVhZCBm cm9tIDIwMDUgd2hlcmUgUGF3ZWwgSmFrdWIgRGF3aWRlayBwdWJsaXNoZWQgYSBwYXRjaCB0byBl bmFibGUgdGhlIHVzZSBvZiBtYWNfcG9ydGFjbCZuYnNwOzwvZm9udD48Zm9udCBmYWNlPSJBcmlh bCwgc2Fucy1zZXJpZiI+d2l0aGluIGphaWxzOjwvZm9udD48YnIgZGF0YS1zdGFydD0iMzY4IiBk YXRhLWVuZD0iMzcxIj48YSBkYXRhLXN0YXJ0PSIzNzEiIGRhdGEtZW5kPSI0NDQiIHJlbD0ibm9v cGVuZXIiIHRhcmdldD0iX25ldyIgaHJlZj0iaHR0cHM6Ly9saXN0cy5mcmVlYnNkLm9yZy9waXBl cm1haWwvZnJlZWJzZC1zZWN1cml0eS8yMDA1LU1heS8wMDI5NjEuaHRtbCIgc3R5bGU9ImZvbnQt ZmFtaWx5OiBBcmlhbCwgc2Fucy1zZXJpZjsiPmh0dHBzOi8vbGlzdHMuZnJlZWJzZC5vcmcvcGlw ZXJtYWlsL2ZyZWVic2Qtc2VjdXJpdHkvMjAwNS1NYXkvMDAyOTYxLmh0bWw8L2E+PC9wPjxwIGRh dGEtc3RhcnQ9IjQ0NiIgZGF0YS1lbmQ9IjU0NSIgc3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbCwg c2Fucy1zZXJpZjsiPkluIHRoZSBzYW1lIHRocmVhZCwgaXQgd2FzIG1lbnRpb25lZCB0aGF0IFNh bXkgQWwgQmFocmEgaGFkIGEgbW9yZSBmbGV4aWJsZSBwYXRjaCBmb3IgdGhpcyBwdXJwb3NlLiZu YnNwOzwvcD48cCBkYXRhLXN0YXJ0PSI0NDYiIGRhdGEtZW5kPSI1NDUiIHN0eWxlPSJmb250LWZh bWlseTogQXJpYWwsIHNhbnMtc2VyaWY7Ij5JIHdhcyB3b25kZXJpbmcgLSB3aGF0IGJlY2FtZSBv ZiB0aGlzIGVmZm9ydD8gV2FzIGFueSB2ZXJzaW9uIG9mIHRoaXMgZXZlciBpbnRlZ3JhdGVkIGlu dG8gdGhlIEZyZWVCU0Qgc291cmNlIHRyZWUgb3IgbWFkZSBhdmFpbGFibGUgdGhyb3VnaCBhbm90 aGVyIGNoYW5uZWw/IEV2ZW4gMjAgeWVhcnMgbGF0ZXIsIHRoaXMgZnVuY3Rpb25hbGl0eSB3b3Vs ZCBzdGlsbCBiZSBoaWdobHkgdXNlZnVsLiBGb3IgZXhhbXBsZSwgdGhlIENhZGR5IHdlYiBzZXJ2 ZXIgLSB3aGljaCBieSBkZWZhdWx0IHJ1bnMgYXMgcm9vdC0gY291bGQgYmVuZWZpdCBmcm9tIG1h Y19wb3J0YWNsJm5ic3A7d2hlbiBydW5uaW5nIGluIGEgamFpbC48L3A+PHAgZGF0YS1zdGFydD0i ODk2IiBkYXRhLWVuZD0iOTUzIiBzdHlsZT0iZm9udC1mYW1pbHk6IEFyaWFsLCBzYW5zLXNlcmlm OyI+QW55IGluZm9ybWF0aW9uIG9yIHBvaW50ZXJzIHdvdWxkIGJlIGdyZWF0bHkgYXBwcmVjaWF0 ZWQuPC9wPlJlZ2FyZHMsPC9kaXY+PGRpdiBzdHlsZT0iZm9udC1zaXplOiAxNHB4OyI+VG9tPC9k aXY+CjxkaXYgY2xhc3M9InByb3Rvbm1haWxfc2lnbmF0dXJlX2Jsb2NrIHByb3Rvbm1haWxfc2ln bmF0dXJlX2Jsb2NrLWVtcHR5IiBzdHlsZT0iZm9udC1mYW1pbHk6IEFyaWFsLCBzYW5zLXNlcmlm OyBmb250LXNpemU6IDE0cHg7Ij4KICAgIDxkaXYgY2xhc3M9InByb3Rvbm1haWxfc2lnbmF0dXJl X2Jsb2NrLXVzZXIgcHJvdG9ubWFpbF9zaWduYXR1cmVfYmxvY2stZW1wdHkiPjwvZGl2PgogICAg CiAgICAgICAgICAgIDxkaXYgY2xhc3M9InByb3Rvbm1haWxfc2lnbmF0dXJlX2Jsb2NrLXByb3Rv biBwcm90b25tYWlsX3NpZ25hdHVyZV9ibG9jay1lbXB0eSI+CiAgICAgICAgCiAgICAgICAgICAg IDwvZGl2Pgo8L2Rpdj4K -----------------------2493bcf4f0cda37bd537afd03159324c-- -----------------------478d220950a9cfd2642591e5fdf56a92-- -----------------------0c13ed264b97aec94e24cf1da8c07e03 Content-Type: application/pgp-keys; filename="publickey - freebsdlists@bsdunix.ch - 0x1B8B8F13.asc"; name="publickey - freebsdlists@bsdunix.ch - 0x1B8B8F13.asc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="publickey - freebsdlists@bsdunix.ch - 0x1B8B8F13.asc"; name="publickey - freebsdlists@bsdunix.ch - 0x1B8B8F13.asc" LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCgp4ak1FWTRmaFR4WUpLd1lCQkFI YVJ3OEJBUWRBc3VBSWJkRVp5djloSDR1ZDJYYk9TN1QxcDRsQnp5ekoKWm80UHk2ckluTzNOTVda eVpXVmljMlJzYVhOMGMwQmljMlIxYm1sNExtTm9JRHhtY21WbFluTmtiR2x6CmRITkFZbk5rZFc1 cGVDNWphRDdDakFRUUZnb0FQZ1VDWTRmaFR3UUxDUWNJQ1JCdktoeXg2dDQzcmdNVgpDQW9FRmdB Q0FRSVpBUUliQXdJZUFSWWhCQnVManhOVlZRQjJ5UjY1UVc4cUhMSHEzamV1QUFESWNBRUEKeUUz UUFhQ0pCYWMrbnU2elVGNWpocEhiNWVmRG9WRlh4bkdwUEpETFNEc0EvMWh4a2pqQjFKOXZpU1VL CncyVndjRHo1bDhFQVFmV2NkZy9GSGlJNWFFVUx6amdFWTRmaFR4SUtLd1lCQkFHWFZRRUZBUUVI UUttYQpsblo5dUtoNnpMaVhIb01KdVAzZU9rdU9QM0RydXZ3QzRKSHlWblIrQXdFSUI4SjRCQmdX Q0FBcUJRSmoKaCtGUENSQnZLaHl4NnQ0M3JnSWJEQlloQkJ1TGp4TlZWUUIyeVI2NVFXOHFITEhx M2pldUFBQVF1Z0Q4CkRnWTZ3eEVkYzRMTiszR1lHRlhJSVNENnRCclF0c005R0dzWTBwVkM3REVC QUtNTExaR2MxVGxtUkdneAozbmxDcWFRV2R5UEx4dHgzYjVMUnM3ZkFDLzhJCj1HSWNyCi0tLS0t RU5EIFBHUCBQVUJMSUMgS0VZIEJMT0NLLS0tLS0K -----------------------0c13ed264b97aec94e24cf1da8c07e03-- --------5738b5901f881bf22affcaeb59e63406f738b69a9a587bcc03565452c89cf1d0 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: ProtonMail wrsEARYKAG0FgmgHkIEJkG8qHLHq3jeuRRQAAAAAABwAIHNhbHRAbm90YXRp b25zLm9wZW5wZ3Bqcy5vcmfZ0gskba8rtW5qEih1hrJodNG4Hb6EezCCFWHH vYTfpBYhBBuLjxNVVQB2yR65QW8qHLHq3jeuAACmUAD9F8rkxSNjpIv+jduc aTZCDS/oFRVc4mFzCIiHv0mPXFQBAOKG2fpp11UVfLYFBwWAdU/ygZvdJ+Je DJmsItRM+x4M =I2tX -----END PGP SIGNATURE----- --------5738b5901f881bf22affcaeb59e63406f738b69a9a587bcc03565452c89cf1d0--