From nobody Thu May 28 09:39:57 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gR1g14tWfz6fRGv for ; Thu, 28 May 2026 09:39:57 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gR1g13Jjsz45Fw for ; Thu, 28 May 2026 09:39:57 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779961197; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=MQFsuhPfDB4Dnokswi5smfe/TEU+RjOtM4Ultc0DfTc=; b=cozr4/i6ac4AJI06R/mg6BOtNX9dJSFOTkJdaLBnAirnxxUhZ+VwThwM81qxAKhY3ysdf7 jiaOhlmeXf1wkBBEM9blKE0+EPvNvjnH/+j63s1hmXdW3yC8Cbh98Munji1Xm+6dOASHk3 AVCanZbtXMkw0me/T38j9L+Qp8HMwS9neunJgqJSqQ0E4lkF18zwg+36qiDTEU6/fwdEgW f89VIgmkmj9LjU7bd6K/lGhRCgYFeUuC2qqeXccWarMmrgc+0r+cjogHYlgo6rb3Mx6mGK QVxx9rYkOBz/NXBNPOQrKDqof5SNPCzrBU9ZtVGa43RxKUTo9mOQIr1z+9lmFA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779961197; a=rsa-sha256; cv=none; b=fWjCtThsk0DZRK1mzU5I5RNPEniSj7qhH7MRJkpV6wqz9P5tUIkZX31/OkXsIzJAvsR0BC P9rFqts4BIjJM6d8fR+/rqixcjBFCgd69/ieaV7/URy91d72ARcobt+7LtfTJTvPCco2Jd C1M7Jf8/pGpnbk6fwQh3STIuyDPGbsBYNGeOGvu1L7umHi03H6jMTVoOkpYLXj6egjDwYQ kKokem2gdocst65hBCwX7v0sNnEPm4N4bl+VW1qQLKnTT0ZFrEbwNoYzjN8x6DJosZ4wab 1NFQ7qZbsc2lJx5J9ATYw8zIu5uO0MTE7yptKBVvDMXiP6uQBNIUUn1iwecM+w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779961197; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=MQFsuhPfDB4Dnokswi5smfe/TEU+RjOtM4Ultc0DfTc=; b=JlqfI2dE/dNUFmxXw3BeY3OGApRthyW/kjoCOgt5eQfdratz2178FnZav8lnZ6GdKgbNyF 11VpG/InXm9t1FxjAxvUGZAfGzvgRYCRZ6f8ORo7pCflpD4SIbYSt6rslFILGd+nDjYbpU 4e1P/BxXn3u7KI7yZjqbk7QA468EOUJvqFLfD3sUYX1rozXBllXrFRyGloG2/9q3n3hU/h iuXIzSsk2rD513kQGtQmCxF5gPlltDOhdbNHfvl8nHpf4acM1qNkWZGfifSXbsMeiT/KNy f/JiDVsf2+llRInt2IfCw5c6ocn+4G3dq7OGZGNNRLz/R8V2KAM5RNkyQBPe8Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gR1g12hnMzghj for ; Thu, 28 May 2026 09:39:57 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 31eb7 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Thu, 28 May 2026 09:39:57 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Christos Margiolis Subject: git: a667352f6e3e - stable/15 - virtual_oss(8): Create loopback devices with GID_AUDIO List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: christos X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: a667352f6e3e496cada472f4c2294ff999345b39 Auto-Submitted: auto-generated Date: Thu, 28 May 2026 09:39:57 +0000 Message-Id: <6a180d6d.31eb7.6fdb26b3@gitrepo.freebsd.org> The branch stable/15 has been updated by christos: URL: https://cgit.FreeBSD.org/src/commit/?id=a667352f6e3e496cada472f4c2294ff999345b39 commit a667352f6e3e496cada472f4c2294ff999345b39 Author: Christos Margiolis AuthorDate: 2026-05-06 16:19:27 +0000 Commit: Christos Margiolis CommitDate: 2026-05-28 09:39:37 +0000 virtual_oss(8): Create loopback devices with GID_AUDIO Make sure the user is part of the audio group to avoid unintended snooping of loopback audio by unprivileged users. While here, retire voss_dsp_perm, since we don't use the same value everywhere now. Sponsored by: The FreeBSD Foundation MFC after: 1 week Reviewed by: emaste Pull-Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/26 (cherry picked from commit 5f904cb1b05c94453727abb606d6109fe504b10b) --- usr.sbin/virtual_oss/virtual_oss/main.c | 27 +++++++++++++++++++++----- usr.sbin/virtual_oss/virtual_oss/virtual_oss.8 | 4 +++- 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/usr.sbin/virtual_oss/virtual_oss/main.c b/usr.sbin/virtual_oss/virtual_oss/main.c index 7e677b6c5dbe..b66d17d940af 100644 --- a/usr.sbin/virtual_oss/virtual_oss/main.c +++ b/usr.sbin/virtual_oss/virtual_oss/main.c @@ -35,6 +35,7 @@ #include #include +#include #include #include #include @@ -1618,7 +1619,6 @@ int voss_is_recording = 1; int voss_has_synchronization; volatile sig_atomic_t voss_exit = 0; -static int voss_dsp_perm = 0666; static int voss_do_background; static int voss_baseclone = 0; static const char *voss_pid_path; @@ -1862,7 +1862,24 @@ dup_profile(vprofile_t *pvp, int *pamp, int pol, int rx_mute, { vprofile_t *ptr; struct cuse_dev *pdev; - int x; + struct group *gr; + gid_t gid; + int x, perm; + + if (!is_client) { + /* + * Loopback devices can be used only by users who part of the + * audio group, to avoid unintended snooping by unprivileged + * users. + */ + if ((gr = getgrnam("audio")) == NULL) + return ("getgrnam() failed"); + gid = gr->gr_gid; + perm = 0660; + } else { + gid = 0; + perm = 0666; + } rx_mute = rx_mute ? 1 : 0; tx_mute = tx_mute ? 1 : 0; @@ -1916,7 +1933,7 @@ dup_profile(vprofile_t *pvp, int *pamp, int pol, int rx_mute, /* create DSP character device */ pdev = cuse_dev_create(&vclient_oss_methods, ptr, NULL, - 0, 0, voss_dsp_perm, ptr->oss_name); + 0, gid, perm, ptr->oss_name); if (pdev == NULL) { free(ptr); return ("Could not create CUSE DSP device"); @@ -1933,7 +1950,7 @@ dup_profile(vprofile_t *pvp, int *pamp, int pol, int rx_mute, /* create WAV device */ if (ptr->wav_name[0] != 0) { pdev = cuse_dev_create(&vclient_wav_methods, ptr, NULL, - 0, 0, voss_dsp_perm, ptr->wav_name); + 0, gid, perm, ptr->wav_name); if (pdev == NULL) { free(ptr); return ("Could not create CUSE WAV device"); @@ -2610,7 +2627,7 @@ main(int argc, char **argv) if (voss_ctl_device[0] != 0) { pdev = cuse_dev_create(&vctl_methods, NULL, NULL, - 0, 0, voss_dsp_perm, voss_ctl_device); + 0, 0, 0666, voss_ctl_device); if (pdev == NULL) errx(EX_USAGE, "Could not create '/dev/%s'", voss_ctl_device); diff --git a/usr.sbin/virtual_oss/virtual_oss/virtual_oss.8 b/usr.sbin/virtual_oss/virtual_oss/virtual_oss.8 index b607f45cd369..b9dc8fd86a3c 100644 --- a/usr.sbin/virtual_oss/virtual_oss/virtual_oss.8 +++ b/usr.sbin/virtual_oss/virtual_oss/virtual_oss.8 @@ -23,7 +23,7 @@ .\" SUCH DAMAGE. .\" .\" -.Dd April 17, 2026 +.Dd May 7, 2026 .Dt VIRTUAL_OSS 8 .Os .Sh NAME @@ -162,6 +162,8 @@ This option should be specified before the -d and -l options. Create an OSS device by given name. .It Fl l Ar name Create a loopback OSS device by given name. +Users have to be part of the audio group to access this device. +This is a security measure to avoid unintended snooping by unprivileged users. .It Fl L Ar name Create a loopback OSS device which acts as a master device. This option is used in conjunction with -f /dev/null .