Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 29 Jul 2025 12:49:45 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 262180] jail escaping via jail-friendly nullfs
Message-ID:  <bug-262180-227-VHGrf0WFFJ@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-262180-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262180

--- Comment #12 from commit-hook@FreeBSD.org ---
A commit in branch stable/14 references this bug:

URL:
https://cgit.FreeBSD.org/src/commit/?id=10b3f2138573da952b4db29f88f6d67cfc3300cd

commit 10b3f2138573da952b4db29f88f6d67cfc3300cd
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-06-24 20:17:07 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-07-29 12:08:32 +0000

    file: Add a fd flag with O_RESOLVE_BENEATH semantics

    The O_RESOLVE_BENEATH openat(2) flag restricts name lookups such that
    they remain under the directory referenced by the dirfd.  This commit
    introduces an implicit version of the flag, FD_RESOLVE_BENEATH, stored
    in the file descriptor entry.  When the flag is set, any lookup relative
    to that fd automatically has O_RESOLVE_BENEATH semantics.  Furthermore,
    the flag is sticky, meaning that it cannot be cleared, and it is copied
    by dup() and openat().

    File descriptors with FD_RESOLVE_BENEATH set may not be passed to
    fchdir(2) or fchroot(2).  Various fd lookup routines are modified to
    return fd flags to the caller.

    This flag will be used to address a case where jails with different root
    directories and the ability to pass SCM_RIGHTS messages across the jail
    boundary can transfer directory fds in such as way as to allow a
    filesystem escape.

    PR:             262180
    Reviewed by:    kib
    MFC after:      3 weeks
    Differential Revision:  https://reviews.freebsd.org/D50371

    (cherry picked from commit f35525ff2053e026a423e852136d73ed93c95803)

 lib/libc/sys/fcntl.2         | 63 +++++++++++++++++++----------
 sys/fs/fdescfs/fdesc_vnops.c |  4 +-
 sys/kern/kern_descrip.c      | 95 ++++++++++++++++++++++++++++++++------------
 sys/kern/uipc_syscalls.c     |  2 +-
 sys/kern/vfs_acl.c           |  4 +-
 sys/kern/vfs_cache.c         | 14 +++++--
 sys/kern/vfs_extattr.c       |  8 ++--
 sys/kern/vfs_syscalls.c      | 21 +++++++---
 sys/sys/fcntl.h              |  2 +
 sys/sys/file.h               |  2 +-
 sys/sys/filedesc.h           |  8 +++-
 sys/sys/namei.h              |  1 +
 12 files changed, 156 insertions(+), 68 deletions(-)

-- 
You are receiving this mail because:
You are the assignee for the bug.
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-262180-227-VHGrf0WFFJ>