From nobody Tue Jul 29 12:49:03 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4brwC43030z62xQk; Tue, 29 Jul 2025 12:49:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4brwC4247Xz3lHb; Tue, 29 Jul 2025 12:49:04 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1753793344; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ckW9zw0MdTH3wfoLbkjlXtPIvjbxKSsU+mUI/xktN/U=; b=J8CzOP9zyqAbtTWsvDTXYBLWDasxBtWGT//dEdPDFeHnu5Acck6H2us3GcZJt+jzexy+K5 J3Ltpm6f12/Sz4seuTtBGcdapH71XRWqLZgML+cxVQg632EhHgFg4OQ+9JNCpYQfliNlQ3 JS8FBtTO9eMVkzjXNZFlAO6JAEJQSqr7tfjuwxUDYytfOx1w3CkDjrYB9M4Nw8kXQkcDr6 nq+QMFTXzo0rtP1bgxzw9udHXTmD1gLUKFmWf9wFKyPbHEujS7X2wUFkS2e27EuatY/Vt5 bFGU7cLunLW2MYGydtaEm0RgrjILindeGCGZWUkQWgyvpPRNw5qTneFLIZgRDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1753793344; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ckW9zw0MdTH3wfoLbkjlXtPIvjbxKSsU+mUI/xktN/U=; b=lCUZf1SGfg7sEAzySvJKGN0WQ4qmJeEyB/W/cz044FkOotOAayO/TZzNEIRY1rQDKOlEv+ hnN7lJRyMiZyTsuLWNF8StecEAL+YmhjMpingckfvTgtqxNqbU2QpGS/4qvCIaAH+E8OCa M8MhVRuca3tuWr6/ibBw9fe696eFuajZoOTHtcaLCQobFktSUjVtFoLE0pBRThcvcGmOgD yfIDb1JT9jb0X7xcnLWw07wdRZ2AZ+jt06mBfoVwe1Lj/v81w/tKkABKRboARpPRNKSG0a G0JUACBsd7KJ7hW/AD+bD9fdk9Aiqen/jQAUdpaPo9xO/Ref42j7QZIIyvylEw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1753793344; a=rsa-sha256; cv=none; b=yQazE1FCRz79BRs3pq9covxl8mblJYYxlRW2hr38SqRZTGCqFPJ6IuJ904tkfLAjlj7T/X APuZIDtX9wDKyIG1mi7y7cxeCYEfNbauLirAp/sTg+J4vkEiyJtmtRp9nYC/znAgwbz3k0 L8CJ8IscNQzO5KypUdRsbiDgOpg8m/ILOMoTol029iJ2CLiENvRzH844kN55bazwQ5k3Nh FE07O+DnLoiSFHj1uLCEWVfMFcvnMpFMxKh/xplYb8z4s/Hoo5aJrzT5bLD2vz/K9/BZyt /50gXcm36aVdHJVGVvFa6xfdaN8UVvXg/YBoW97sejwsjfizFnZIRHNRkRuziw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4brwC40YbYzY1j; Tue, 29 Jul 2025 12:49:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 56TCn3aP033361; Tue, 29 Jul 2025 12:49:03 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 56TCn3CS033358; Tue, 29 Jul 2025 12:49:03 GMT (envelope-from git) Date: Tue, 29 Jul 2025 12:49:03 GMT Message-Id: <202507291249.56TCn3CS033358@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 3ad3ab5f9b6e - stable/14 - unix: Set O_RESOLVE_BENEATH on fds transferred between jails List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 3ad3ab5f9b6e91efc923bae9799697a823eb7227 Auto-Submitted: auto-generated The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=3ad3ab5f9b6e91efc923bae9799697a823eb7227 commit 3ad3ab5f9b6e91efc923bae9799697a823eb7227 Author: Mark Johnston AuthorDate: 2025-06-24 20:05:37 +0000 Commit: Mark Johnston CommitDate: 2025-07-29 12:08:32 +0000 unix: Set O_RESOLVE_BENEATH on fds transferred between jails If a pair of jails with different filesystem roots is able to exchange SCM_RIGHTS messages (e.g., using a unix socket in a shared nullfs mount), a process in one jail can open a directory outside of the root of the second jail and then pass the fd to that second jail, allowing the receiving process to escape the jail chroot. Address this using the new FD_RESOLVE_BENEATH flag. When externalizing an SCM_RIGHTS message into the receiving process, automatically set this flag on all new fds where a jail boundary is crossed. This ensures that the receiver cannot do more than access files underneath the directory; in particular, the received fd cannot be used to access vnodes not accessible by the sender. PR: 262179 Reviewed by: kib MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D50371 (cherry picked from commit 350ba9672a7f4f16e30534a603df577dfd083b3f) --- sys/amd64/conf/SYZKALLER | 5 +++++ sys/kern/uipc_usrreq.c | 31 +++++++++++++++++++++++-------- 2 files changed, 28 insertions(+), 8 deletions(-) diff --git a/sys/amd64/conf/SYZKALLER b/sys/amd64/conf/SYZKALLER new file mode 100644 index 000000000000..965841313616 --- /dev/null +++ b/sys/amd64/conf/SYZKALLER @@ -0,0 +1,5 @@ +include GENERIC-KASAN +ident SYZKALLER + +options COVERAGE +options KCOV diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 80ac5cc0b775..4df36221bc6a 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -58,7 +58,6 @@ * need a proper out-of-band */ -#include #include "opt_ddb.h" #include @@ -68,6 +67,7 @@ #include #include #include +#include #include #include #include @@ -2433,22 +2433,34 @@ unp_freerights(struct filedescent **fdep, int fdcount) free(fdep[0], M_FILECAPS); } +static bool +restrict_rights(struct file *fp, struct thread *td) +{ + struct prison *prison1, *prison2; + + prison1 = fp->f_cred->cr_prison; + prison2 = td->td_ucred->cr_prison; + return (prison1 != prison2 && prison1->pr_root != prison2->pr_root && + prison2 != &prison0); +} + static int unp_externalize(struct mbuf *control, struct mbuf **controlp, int flags) { struct thread *td = curthread; /* XXX */ struct cmsghdr *cm = mtod(control, struct cmsghdr *); - int i; int *fdp; struct filedesc *fdesc = td->td_proc->p_fd; struct filedescent **fdep; void *data; socklen_t clen = control->m_len, datalen; - int error, newfds; + int error, fdflags, newfds; u_int newlen; UNP_LINK_UNLOCK_ASSERT(); + fdflags = (flags & MSG_CMSG_CLOEXEC) ? O_CLOEXEC : 0; + error = 0; if (controlp != NULL) /* controlp == NULL => free control messages */ *controlp = NULL; @@ -2490,11 +2502,14 @@ unp_externalize(struct mbuf *control, struct mbuf **controlp, int flags) *controlp = NULL; goto next; } - for (i = 0; i < newfds; i++, fdp++) { - _finstall(fdesc, fdep[i]->fde_file, *fdp, - (flags & MSG_CMSG_CLOEXEC) != 0 ? O_CLOEXEC : 0, - &fdep[i]->fde_caps); - unp_externalize_fp(fdep[i]->fde_file); + for (int i = 0; i < newfds; i++, fdp++) { + struct file *fp; + + fp = fdep[i]->fde_file; + _finstall(fdesc, fp, *fdp, fdflags | + (restrict_rights(fp, td) ? + O_RESOLVE_BENEATH : 0), &fdep[i]->fde_caps); + unp_externalize_fp(fp); } /*