From nobody Tue Nov 7 21:03:27 2023 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SQ10H43tBz50QR1 for ; Tue, 7 Nov 2023 21:03:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SQ10H3Lb5z4h5h; Tue, 7 Nov 2023 21:03:27 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699391007; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kRKiQPuFwHqyjLQ1vSCBbnwGGfOoLIYtaicCP/DHU20=; b=B7YwDCgwDo6KiHWe8kdPw0GhZBFLkb/QgngS0NRcMavXWzLnZzoRcOXOaA1bxmDoDd/kND /n+eoKgQXuXUhKZzmCEiisfhlaeedeMDTm6pAuYgHXT+N9FAD5hA/gcpwWqJHyt3MZkdlz VgDjCzWa+ofYj2qocAAD0N+gjG8ZKh75VXY9l3CyiIoFeah6GFol3GrNIv+uP6RLwKHOO1 /xiB0RQOVgB2JVcVFQEeGwpi9MS9j95bL1/1NunSvfF4wS7yUVTQ6RQC/HxQPnSnpsj24X pnFjefXNguMiF0hIReHvgpPhJ2N97azT9WKsCd3jhqIcuDB+0YYtVxxCYTgrrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1699391007; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kRKiQPuFwHqyjLQ1vSCBbnwGGfOoLIYtaicCP/DHU20=; b=Yw8LtBh1KEUA5p5KUh7l85CprHcAiHvdeqP8wSctZM3QP6IMXugEsAoBqdN0fqy6VrH4JT 5dANFCFHlht118BMqHYaTDyZARfMfLL3XLZOpyR05yQiC2GTqCsywc737NM6c5WifPkyle BjXZzuVl7wGIWo5FK2bAz39/QTsMT6EUqm9QQ6uQcnb0DB0v4xiGXFxit+yYOIwBIIUhSL p9SozEyngnyPp9FnHmQnvwNMlP86nI5XNm9SXDmtnNQXVJtSvtdLPka75AHX7uJQHC4gYy FbVV712tvOxtSvHbLFE0mk2Ez11qN1/ZVmDeBMSZ92P25k9oW7W6jLFOWrg0hg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1699391007; a=rsa-sha256; cv=none; b=a0wSDsWjmkFlCpNZrPVqqbSKOY5pKANjv2kCZqsH80RlG2HMlVyBoT/dvFlcATtp4qSTWZ QfR4dlJZinaxJnixiMj8KoP+Kob+e6At67YQlSbjqKr54G8YGi1PtUebX4AFZFpAK6IG/k JLTEpFK5K3tkV6Ojw+AFO80ca4M29PP2UkyS3CHID9gyPx+cfE6246S0oLFArTiN/srdUK qWizRiCsgcGKCDhPE7o9k+dcUfi56yxHuPfOxGGiIPva67pQcRxwbZawh/+/n8FERTHSv7 G2Mg5KwISQOvBAZulFULk+6TsI2pgMmOgVYYVEdSByko7dWcil8dEGi66oz9Dw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SQ10H2P6pz151Z; Tue, 7 Nov 2023 21:03:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3A7L3Rlw004045; Tue, 7 Nov 2023 21:03:27 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3A7L3RSu004042; Tue, 7 Nov 2023 21:03:27 GMT (envelope-from git) Date: Tue, 7 Nov 2023 21:03:27 GMT Message-Id: <202311072103.3A7L3RSu004042@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Ed Maste Subject: git: 1fcd79ec74 - main - 14.0 relnotes: Additions List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-doc-all@freebsd.org X-BeenThere: dev-commits-doc-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 1fcd79ec744786b6835f141246a2aeed2c01140e Auto-Submitted: auto-generated The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/doc/commit/?id=1fcd79ec744786b6835f141246a2aeed2c01140e commit 1fcd79ec744786b6835f141246a2aeed2c01140e Author: Olivier Certner AuthorDate: 2023-11-07 09:41:29 +0000 Commit: Ed Maste CommitDate: 2023-11-07 21:02:56 +0000 14.0 relnotes: Additions - Changes to the 'security.bsd.see_jail_proc' security policy. - Changes to the 'security.bsd.see_other_gids' security policy. - Zenbleed bug/vulnerability Reviewed by: carlavilla, karels Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D42488 --- website/content/en/releases/14.0R/relnotes.adoc | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/website/content/en/releases/14.0R/relnotes.adoc b/website/content/en/releases/14.0R/relnotes.adoc index 8891b0b8bd..deb784cfec 100644 --- a/website/content/en/releases/14.0R/relnotes.adoc +++ b/website/content/en/releases/14.0R/relnotes.adoc @@ -444,6 +444,20 @@ Previously, timerfd was only available under Linux emulation. For programs written only for FreeBSD, the man:kqueue[2] EVFILT_TIMER filter is preferred for establishing arbitrary timers. gitref:af93fea71038[repository=src] +The process visibility policy controlled by the `security.bsd.see_jail_proc` man:sysctl[8] knob was hardened by preventing unauthorized users from attempting to kill, change priority of or debug processes with same (real) UID in a sub-jail at random, which, provided the PID of such a process is guessed correctly, would succeed even if these processes are not visible to them. +It was also made overridable by MAC policies, as are the other process visibility policies. +gitref:7e21c691f295[repository=src] gitref:63c01c18a8d3[repository=src] (Sponsored by Kumacom, SAS) (Sponsored by The FreeBSD Foundation) + +The process visibility policy controlled by the `security.bsd.see_other_gids` man:sysctl[8] knob was fixed to consider the real group of a process instead of its effective group when determining whether the user trying to access the process is a member of one of the process' groups. +The rationale is that some user should continue to see processes it has launched even when they acquire further privileges by virtue of the setgid bit, whereas they should not see processes launched by a privileged user that temporarily enters the user's primary group. +This new behavior is consistent with what `security.bsd.see_other_uids` has always been doing for user IDs (i.e., considering some process' real user ID and not the effective ID). +gitref:26ff4836c888[repository=src] (Sponsored by Kumacom, SAS) (Sponsored by The FreeBSD Foundation) + +The Zenbleed bug affecting AMD Zen2 processors is now automatically mitigated (via chicken bit), preventing misbehavior and data leaks on affected machines. +If needed, applying the mitigation can be manually controlled via the `machdep.mitigations.zenbleed.enable` man:sysctl[8] knob. +Please consult the new man:mitigations[7] manual page for more information. +gitref:aea76bab1416[repository=src] (Sponsored by The FreeBSD Foundation) + [[drivers]] == Devices and Drivers