From nobody Thu May  7 20:40:21 2026
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gBPJk0xxwz6bwV7
	for <dev-commits-src-branches@mlmmj.nyi.freebsd.org>; Thu, 07 May 2026 20:40:22 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gBPJj6Rgjz3NjR
	for <dev-commits-src-branches@FreeBSD.org>; Thu, 07 May 2026 20:40:21 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1778186421;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=BrkIADxkYIuZDHMtepuLDRtqiIHmtSGzIcwdIU456Zw=;
	b=jxQZ5o6w6VG7gtsPbsRZjWd4+hWkoBtaVU07qcFLnaKDrSC9AcZ8Htl0oPWL42nSv8UmcV
	N8iYklSqhsayD22fjUg9KYbE1MiDuAZfZ40d2ubPGySlBKMWTYkKMADxHr7Q1sjb9atAC8
	JFUiGmcQIHS0WuMKckY7ZesPuma2YNmi3XVCoHCVRs0EHs/blHeNUAvlkkYqjuOcy1sEq4
	Relb+o11JDHODMVZCEJpii5anvSLyqzO6/L//a43YOPKWj5Xmw7Hyhmhrk0nGo82C4SQg4
	/nlA/+fhJ5FtnzefoFA8n1fYn2xSLwvr1ugUtvBxleby3+N40Qm94JdGevBt2A==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1778186421; a=rsa-sha256; cv=none;
	b=U/TT99LxFEYXy4ycFEP2ku+spIEQekGp3yFKYZCGMcdjLJDlBQSSUkMB6Lnnp5wuXmfH5d
	iMaDqea7yv9F10k9iNiNSz2WgVA8e19y/tWm9UXStvCZlq6VwJsAWu1TbGyQpuXgIKHFPf
	6JI/qxrTq2jIxXl3OYUdSVS6kk7m3oZ5oHfI+f9noOH5Y19oiRjiDBcQ7PS01UeBv+a/AL
	rY+VOu8PZhc1gaVQ3qfl2u/envcCq/iXPrJkq7yR0qEXq88iq0vi5PpCepVZ3iD9sAwO0I
	t4oloFJ5PjjdioDl8BUtmvJWaqHSTtngtPNbbuE36uEjzdFPrgJYg/hLrZ3ZZQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1778186421;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=BrkIADxkYIuZDHMtepuLDRtqiIHmtSGzIcwdIU456Zw=;
	b=DbnPtw3YA8KoZgM+YvGD01mVifv7wObJmR0v6x7fWYR+PE/rqkFyFrIuIkyPDm4Bhv1JBt
	xeUsnzy4HLsy2zn8u/pqJZhAYwvumclR3Up/o8hRVWi+S/G73lET7xdJbuEOX3axYtv8NQ
	CNO9zFseMlVh6O82BI8fu+1cm5TeenzHFJHolMlJ13dGXxb+bbhhpl/wWXu7o+sUilrJE4
	5FIBAGad0VERL7gJ2QpjifrQbgQp6347TYaZk6Tg8DM+mNDObtrPhbYxkD3KLj2yIcOuBw
	+uEcLGo0CqD+ZyobjlsA/+yu/8qkx75xkzTWQm9tQQvVb4Z5TxThcLx2kwu8YA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gBPJj5qk3zj92
	for <dev-commits-src-branches@FreeBSD.org>; Thu, 07 May 2026 20:40:21 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 2221d
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Thu, 07 May 2026 20:40:21 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Cc: Jan Bramkamp <crest+freebsd@rlwinm.de>
From: Colin Percival <cperciva@FreeBSD.org>
Subject: git: 38c5d60c367e - releng/15.1 - jail: avoid leaking jail config fds to exec.* hooks
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
List-Id: <dev-commits-src-branches.FreeBSD.org>
List-Post: <mailto:dev-commits-src-branches@FreeBSD.org>
List-Help: <mailto:dev-commits-src-branches+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: cperciva
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/15.1
X-Git-Reftype: branch
X-Git-Commit: 38c5d60c367e788341e059ee3940183c293956ba
Auto-Submitted: auto-generated
Date: Thu, 07 May 2026 20:40:21 +0000
Message-Id: <69fcf8b5.2221d.3c6fd090@gitrepo.freebsd.org>

The branch releng/15.1 has been updated by cperciva:

URL: https://cgit.FreeBSD.org/src/commit/?id=38c5d60c367e788341e059ee3940183c293956ba

commit 38c5d60c367e788341e059ee3940183c293956ba
Author:     Jan Bramkamp <crest+freebsd@rlwinm.de>
AuthorDate: 2026-05-06 23:28:53 +0000
Commit:     Colin Percival <cperciva@FreeBSD.org>
CommitDate: 2026-05-07 20:39:42 +0000

    jail: avoid leaking jail config fds to exec.* hooks
    
    The jail(8) command must not leave parsed configuration files open
    since the file descriptors will be leaked to child processes
    including the untrusted exec.start or exec.stop hooks.
    
    While fopen() doesn't provide direct access to O_CLOEXEC, it does
    provide access to FD_CLOEXEC via "e" in the mode string which
    provides the desired defense in depth against leaking file descriptors
    into exec.* hooks since those always execve() into a shell.
    
    Jail configuration is potentially sensitive and some hooks execute from
    within the jail context, leaving some opening for the jail to exfiltrate
    information about the host environment.
    
    (Commit message wordsmithed by kevans)
    
    Approved by:    re (cperciva)
    PR:             295052
    Reviewed by:    kevans
    
    (cherry picked from commit 276d9b88a9e6fd6fd90e57c36444756ad297d2ab)
    (cherry picked from commit c35bb8ba898482920bf9b57967a9a11f98a89c81)
---
 usr.sbin/jail/config.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/usr.sbin/jail/config.c b/usr.sbin/jail/config.c
index 1bad04ccde68..f1e2da215790 100644
--- a/usr.sbin/jail/config.c
+++ b/usr.sbin/jail/config.c
@@ -321,6 +321,7 @@ static void
 parse_config(const char *cfname, int is_stdin)
 {
 	struct cflex cflex = {.cfname = cfname, .error = 0};
+	FILE *yfp = NULL;
 	void *scanner;
 
 	yylex_init_extra(&cflex, &scanner);
@@ -328,7 +329,7 @@ parse_config(const char *cfname, int is_stdin)
 		cflex.cfname = "STDIN";
 		yyset_in(stdin, scanner);
 	} else {
-		FILE *yfp = fopen(cfname, "r");
+		yfp = fopen(cfname, "re");
 		if (!yfp)
 			err(1, "%s", cfname);
 		yyset_in(yfp, scanner);
@@ -336,6 +337,8 @@ parse_config(const char *cfname, int is_stdin)
 	if (yyparse(scanner) || cflex.error)
 		exit(1);
 	yylex_destroy(scanner);
+	if (yfp != NULL)
+		fclose(yfp);
 }
 
 /*