From nobody Tue Feb 24 16:04:42 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fL2bt4KFyz6SPX8 for ; Tue, 24 Feb 2026 16:04:42 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fL2bt2RTJz3pp6 for ; Tue, 24 Feb 2026 16:04:42 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771949082; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/6VW+lW7SKkoWcb2QM1AWBBYQzn9wMUnR434Zk4AALE=; b=BBM35zt6/Xr/QbtPr/gSzaTzNUx48ssiXI3cJRNWWl3R2LbTAqHspIK2fgq7+tQd+pmGqQ xzZPRqv7QmuFbkz7Ckzh9CrmK+q9HxP2UtJ0GqhqGRrHav9wiKQdBTdtjb023+A4GY/hg4 HcGabCFGWu44oYBogrKnt3YRlFVN5ajKHJiF+AO0j1hIb0AQj7g1GazWb94M5O+18p2u+n T65fxhf7pBuTV5Ozi4wtilW+uHnfadJsuEP0jm75bt6B5sEE1OyzNPV12j6bWnVTg9k+f3 RduTpR2ECEgjnoWBFU3avITMSWSLtIi0aMxEv0yqophPsV+T7xY6AKg7+V2u4w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1771949082; a=rsa-sha256; cv=none; b=gybPRw3Y+Z3KScST0xBc7mJygxf7gn2LStDmXNzWAW6N9uGRJfXf5xIDTYKmLxsGnlZzfb OkOLCj/AJcSL1rhhnScKT56Mulr9OHe9EWCc7zj+Roc7sICgOg1PNf3PUVxTM2Po78YYFa w8F31kL+f7ne3i7qf/I7izmE9CxSiCpA4wrgQF7ZtdpHWBJ4W5W+nn+KSYVddMfVOMiia3 vdJAe2XZshrOsalSu+28zM1olX8SiU6H6LJqncTwm0tnoHFH+UkFLcmxlSt2ckFouOYVra oRYU6c1SQE31In5NHtVFx26oO0t5NRXMU2f7rcJ+ke6qAzvqRG+fY/1jpULBTQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771949082; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/6VW+lW7SKkoWcb2QM1AWBBYQzn9wMUnR434Zk4AALE=; b=ctp0C4y8BUWnh/7YWZkWJyBTc8qkbbwsn4F1pGNIzJajM03HoyoWdHGE+uNFp+lk84oAvv uVngV52eevglJ8Vl4hL49BUiOCUozuxP3JcJimkN0WvKCJ1DUoSz0q9KuZw1dK4stYIA1E 1J4azYHT3Os1WHEN2zE7/92cf+oWb+K0tTXEXKynYFEZWAFw1VQrw9CeelpK1b61vDJjbA Rf4Hf5MSXyHutwIe1TG2CmeO0d/QYyz5Mnl2Ndq1Jx49RoOZzTx7d1JOrVISucppHkGDcs m6Ea0JWkfu5NL41Pq0IG4WMFLkFWFJigap328FYxeVi3aW4MGrpQg4wlQg4JuQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fL2bt1xYPz6Wh for ; Tue, 24 Feb 2026 16:04:42 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 275b0 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 24 Feb 2026 16:04:42 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: e6b96891ef7c - releng/13.5 - unix: Set O_RESOLVE_BENEATH on fds transferred between jails List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/13.5 X-Git-Reftype: branch X-Git-Commit: e6b96891ef7c44b5413164a05a8c0a07eaaf59e3 Auto-Submitted: auto-generated Date: Tue, 24 Feb 2026 16:04:42 +0000 Message-Id: <699dcc1a.275b0.30339030@gitrepo.freebsd.org> The branch releng/13.5 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=e6b96891ef7c44b5413164a05a8c0a07eaaf59e3 commit e6b96891ef7c44b5413164a05a8c0a07eaaf59e3 Author: Mark Johnston AuthorDate: 2025-06-24 20:05:37 +0000 Commit: Mark Johnston CommitDate: 2026-02-23 01:48:38 +0000 unix: Set O_RESOLVE_BENEATH on fds transferred between jails If a pair of jails with different filesystem roots is able to exchange SCM_RIGHTS messages (e.g., using a unix socket in a shared nullfs mount), a process in one jail can open a directory outside of the root of the second jail and then pass the fd to that second jail, allowing the receiving process to escape the jail chroot. Address this using the new FD_RESOLVE_BENEATH flag. When externalizing an SCM_RIGHTS message into the receiving process, automatically set this flag on all new fds where a jail boundary is crossed. This ensures that the receiver cannot do more than access files underneath the directory; in particular, the received fd cannot be used to access vnodes not accessible by the sender. Approved by: so PR: 262179 Reviewed by: kib MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D50371 (cherry picked from commit 350ba9672a7f4f16e30534a603df577dfd083b3f) (cherry picked from commit 73530e4c2ea92564e393e0497f13dfac251a41b7) --- sys/amd64/conf/SYZKALLER | 5 +++++ sys/kern/uipc_usrreq.c | 31 +++++++++++++++++++++++-------- 2 files changed, 28 insertions(+), 8 deletions(-) diff --git a/sys/amd64/conf/SYZKALLER b/sys/amd64/conf/SYZKALLER new file mode 100644 index 000000000000..965841313616 --- /dev/null +++ b/sys/amd64/conf/SYZKALLER @@ -0,0 +1,5 @@ +include GENERIC-KASAN +ident SYZKALLER + +options COVERAGE +options KCOV diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 0f5048a96e89..4043e7260d0f 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -57,7 +57,6 @@ * need a proper out-of-band */ -#include #include "opt_ddb.h" #include @@ -67,6 +66,7 @@ #include #include #include +#include #include #include #include @@ -1993,22 +1993,34 @@ unp_freerights(struct filedescent **fdep, int fdcount) free(fdep[0], M_FILECAPS); } +static bool +restrict_rights(struct file *fp, struct thread *td) +{ + struct prison *prison1, *prison2; + + prison1 = fp->f_cred->cr_prison; + prison2 = td->td_ucred->cr_prison; + return (prison1 != prison2 && prison1->pr_root != prison2->pr_root && + prison2 != &prison0); +} + static int unp_externalize(struct mbuf *control, struct mbuf **controlp, int flags) { struct thread *td = curthread; /* XXX */ struct cmsghdr *cm = mtod(control, struct cmsghdr *); - int i; int *fdp; struct filedesc *fdesc = td->td_proc->p_fd; struct filedescent **fdep; void *data; socklen_t clen = control->m_len, datalen; - int error, newfds; + int error, fdflags, newfds; u_int newlen; UNP_LINK_UNLOCK_ASSERT(); + fdflags = (flags & MSG_CMSG_CLOEXEC) ? O_CLOEXEC : 0; + error = 0; if (controlp != NULL) /* controlp == NULL => free control messages */ *controlp = NULL; @@ -2059,11 +2071,14 @@ unp_externalize(struct mbuf *control, struct mbuf **controlp, int flags) *controlp = NULL; goto next; } - for (i = 0; i < newfds; i++, fdp++) { - _finstall(fdesc, fdep[i]->fde_file, *fdp, - (flags & MSG_CMSG_CLOEXEC) != 0 ? O_CLOEXEC : 0, - &fdep[i]->fde_caps); - unp_externalize_fp(fdep[i]->fde_file); + for (int i = 0; i < newfds; i++, fdp++) { + struct file *fp; + + fp = fdep[i]->fde_file; + _finstall(fdesc, fp, *fdp, fdflags | + (restrict_rights(fp, td) ? + O_RESOLVE_BENEATH : 0), &fdep[i]->fde_caps); + unp_externalize_fp(fp); } /*