From nobody Mon Feb  9 20:44:00 2026
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4f8xW43ZpYz6S08v
	for <dev-commits-src-branches@mlmmj.nyi.freebsd.org>; Mon, 09 Feb 2026 20:44:00 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4f8xW41z5Jz3W5x
	for <dev-commits-src-branches@FreeBSD.org>; Mon, 09 Feb 2026 20:44:00 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1770669840;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=zXVVnIvWzV1fuGLUcSJ8BWaxobJuF6ovoOPIldXRSnE=;
	b=ibRYE+n3owvMgPUmYAp0LXgwo9v2KbxJaMpSQONHXBYP12FiBdx4TqektZ6pWb8TJAJ2Dw
	bQCRDE8mxu0VSS53mrb7stUL1jLHugSHSiaTNsE7ULAeAc2ZlKLw78WldiM71o2E8G0ynW
	jWVfqBvKAh2n2izPg8gCR3g6SeOfpcpqOT/Uz4cXKCqhYzFatrAnAb1wELenbaOpRfeYnh
	/tsuYECsyFKo0mqbn//0RlgFyS0Bnlt8ihu9EZWlCcOHNTGD2uQ5aW7m4fL+noTKGNZZtQ
	2rheoPmj/LEnDYEQfQz1AiwbOUhmBxLCYKQXlG9GD9iapj1IzW/qIwyIJ4qowg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1770669840; a=rsa-sha256; cv=none;
	b=MYag62K17qZa+YI5e+UqNzpQt4H84+HN0A1YRNqMMVNeiyfk1ImRXCYJeVag71cGBm0+So
	9qMx15VHEo1IyaWLbsTu/QMGLKewH0ix1e66Wj0qALy3hss3zs6wZEGARcE7UlK6t1vofo
	T+46SGsn2KUdbTkjEb+0XsE+RhmlRGQr85pddIGNZ6u0RI0jUtjkBOYGLG0xS9d43hYTy7
	JmW0qRme+s5WMuSaiR6Nzkvitprgm7YAmMGR6NVhbr3D2g4UA258O7HjlG2LQ+t1kMHIAA
	OYT6WA+e2sCL5Dd8tHo3c6hcAywf8vnw0AOxTnXQ3mcU17IoErTy1Uca/genAQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1770669840;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=zXVVnIvWzV1fuGLUcSJ8BWaxobJuF6ovoOPIldXRSnE=;
	b=fxukRDXHtqv3wGaAQZkOgk+hv0fs9xFOEFFq3zeJsJ1lhdkatePgdwyvp4AgAdyFH9wsS1
	7B+gf0UdwG7pUK3Z9G8VHYi95YtX9tGze+yjVBpe3ozjn0cg20dgLtj7Ar3FzFL9FVZDCe
	3rv/bXsSwhtaL9/Ojy5puqnBSi+i9D7P5RCEnfcMVQe+VLeq8H1Kqd8GJGRMgLD4qgZNun
	sTEPfmZvNwyuDkrOiiztxNz0l3UFP6xfgZnDv71smlOPfH11hD0+sbIRDZ3RkJil7ClJA2
	nAtwBZu9DLpQtb/W9GZjTvPKRbk3FQgRKvcD9ZOY2W0sFG91M0rjNgYBzd+JpA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4f8xW41YcKzp3m
	for <dev-commits-src-branches@FreeBSD.org>; Mon, 09 Feb 2026 20:44:00 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 3fcb6
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Mon, 09 Feb 2026 20:44:00 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 73530e4c2ea9 - stable/13 - unix: Set O_RESOLVE_BENEATH on fds transferred between jails
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 73530e4c2ea92564e393e0497f13dfac251a41b7
Auto-Submitted: auto-generated
Date: Mon, 09 Feb 2026 20:44:00 +0000
Message-Id: <698a4710.3fcb6.2c0bcaa1@gitrepo.freebsd.org>

The branch stable/13 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=73530e4c2ea92564e393e0497f13dfac251a41b7

commit 73530e4c2ea92564e393e0497f13dfac251a41b7
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-06-24 20:05:37 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-02-09 17:48:55 +0000

    unix: Set O_RESOLVE_BENEATH on fds transferred between jails
    
    If a pair of jails with different filesystem roots is able to exchange
    SCM_RIGHTS messages (e.g., using a unix socket in a shared nullfs
    mount), a process in one jail can open a directory outside of the root
    of the second jail and then pass the fd to that second jail, allowing
    the receiving process to escape the jail chroot.
    
    Address this using the new FD_RESOLVE_BENEATH flag.  When externalizing
    an SCM_RIGHTS message into the receiving process, automatically set this
    flag on all new fds where a jail boundary is crossed.  This ensures that
    the receiver cannot do more than access files underneath the directory;
    in particular, the received fd cannot be used to access vnodes not
    accessible by the sender.
    
    PR:             262179
    Reviewed by:    kib
    MFC after:      3 weeks
    Differential Revision:  https://reviews.freebsd.org/D50371
    
    (cherry picked from commit 350ba9672a7f4f16e30534a603df577dfd083b3f)
---
 sys/amd64/conf/SYZKALLER |  5 +++++
 sys/kern/uipc_usrreq.c   | 31 +++++++++++++++++++++++--------
 2 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/sys/amd64/conf/SYZKALLER b/sys/amd64/conf/SYZKALLER
new file mode 100644
index 000000000000..965841313616
--- /dev/null
+++ b/sys/amd64/conf/SYZKALLER
@@ -0,0 +1,5 @@
+include GENERIC-KASAN
+ident SYZKALLER
+
+options 	COVERAGE
+options 	KCOV
diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index 0f5048a96e89..4043e7260d0f 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -57,7 +57,6 @@
  *	need a proper out-of-band
  */
 
-#include <sys/cdefs.h>
 #include "opt_ddb.h"
 
 #include <sys/param.h>
@@ -67,6 +66,7 @@
 #include <sys/fcntl.h>
 #include <sys/file.h>
 #include <sys/filedesc.h>
+#include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
@@ -1993,22 +1993,34 @@ unp_freerights(struct filedescent **fdep, int fdcount)
 	free(fdep[0], M_FILECAPS);
 }
 
+static bool
+restrict_rights(struct file *fp, struct thread *td)
+{
+	struct prison *prison1, *prison2;
+
+	prison1 = fp->f_cred->cr_prison;
+	prison2 = td->td_ucred->cr_prison;
+	return (prison1 != prison2 && prison1->pr_root != prison2->pr_root &&
+	    prison2 != &prison0);
+}
+
 static int
 unp_externalize(struct mbuf *control, struct mbuf **controlp, int flags)
 {
 	struct thread *td = curthread;		/* XXX */
 	struct cmsghdr *cm = mtod(control, struct cmsghdr *);
-	int i;
 	int *fdp;
 	struct filedesc *fdesc = td->td_proc->p_fd;
 	struct filedescent **fdep;
 	void *data;
 	socklen_t clen = control->m_len, datalen;
-	int error, newfds;
+	int error, fdflags, newfds;
 	u_int newlen;
 
 	UNP_LINK_UNLOCK_ASSERT();
 
+	fdflags = (flags & MSG_CMSG_CLOEXEC) ? O_CLOEXEC : 0;
+
 	error = 0;
 	if (controlp != NULL) /* controlp == NULL => free control messages */
 		*controlp = NULL;
@@ -2059,11 +2071,14 @@ unp_externalize(struct mbuf *control, struct mbuf **controlp, int flags)
 				*controlp = NULL;
 				goto next;
 			}
-			for (i = 0; i < newfds; i++, fdp++) {
-				_finstall(fdesc, fdep[i]->fde_file, *fdp,
-				    (flags & MSG_CMSG_CLOEXEC) != 0 ? O_CLOEXEC : 0,
-				    &fdep[i]->fde_caps);
-				unp_externalize_fp(fdep[i]->fde_file);
+			for (int i = 0; i < newfds; i++, fdp++) {
+				struct file *fp;
+
+				fp = fdep[i]->fde_file;
+				_finstall(fdesc, fp, *fdp, fdflags |
+				    (restrict_rights(fp, td) ?
+				    O_RESOLVE_BENEATH : 0), &fdep[i]->fde_caps);
+				unp_externalize_fp(fp);
 			}
 
 			/*