From nobody Tue Dec 23 12:54:31 2025 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dbFMw5DKqz6LMpt for ; Tue, 23 Dec 2025 12:54:52 +0000 (UTC) (envelope-from andrea@cocito.eu) Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dbFMv4m5nz44n3 for ; Tue, 23 Dec 2025 12:54:51 +0000 (UTC) (envelope-from andrea@cocito.eu) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=cocito-eu.20230601.gappssmtp.com header.s=20230601 header.b="JEff0N/r"; dmarc=none; spf=pass (mx1.freebsd.org: domain of andrea@cocito.eu designates 2a00:1450:4864:20::334 as permitted sender) smtp.mailfrom=andrea@cocito.eu Received: by mail-wm1-x334.google.com with SMTP id 5b1f17b1804b1-477632b0621so31439765e9.2 for ; Tue, 23 Dec 2025 04:54:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cocito-eu.20230601.gappssmtp.com; s=20230601; t=1766494482; x=1767099282; darn=freebsd.org; h=to:date:message-id:subject:mime-version:content-transfer-encoding :from:from:to:cc:subject:date:message-id:reply-to; bh=DcKHuNGdldy/5wUx7FsYEws1CmwIyuBtCEJr6KMs1hg=; b=JEff0N/rbRQLi3yVCCDwMzI3Qqf7t8+iu/dL3KJm8Y1hLpN1s0IPQqOGzj+8WsViPx i8aOobNswsBsEh6Mh9isSCAIxlq6CoB5ELCd+vpGYnL9Q9sk40+MWAMEWEoUgVVzhz8s 1zPujSqoLbmFylVMaSNJH8pInssD73tAekXjiaelhecT8Vfzlq+8CyEE0mp9xXwZgxcZ v1EqRUsfEZIaviXogG+/+zQAUZjx/r2Wtb+Z0gEi8fOr2g5zxxkiZ6f71uwM2fCqmK4b zPorvf0UacBL5rrTmZVUuWkvaVHjp8LoMEovZhdWdWSpoz+ZzhcdZkS9yzCKhTkRj6H6 kh0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766494482; x=1767099282; h=to:date:message-id:subject:mime-version:content-transfer-encoding :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=DcKHuNGdldy/5wUx7FsYEws1CmwIyuBtCEJr6KMs1hg=; b=K3WTHn2oHBYP4l9cVWy0ddTF45Sw3D7ldD2c7Ig1ySIpBgMIIPurU3QRx4ra7yunSl q0y92Db4K7F4KGE1bP7aJiuIW+ag2tjrMil6OkCBp6cXMUnpMJKpox5DnzErAu/pMBdL xQvhIAsXaZj2MN5zDJCjiv5dhI/MEM8DnS1domf4r3U9YpKW7gjGGOG3tvlCqXwMU66r 6isruT2TsLJwyV46IRNyZKX/xD9bilDPH3NCE9Lg0Hh6F4zysP5ZqSYNadzOTxsSDh5X ntl5WOp+Xgb2PHU3LiktW2eNu7OUH1tVo6xOthpzvrxodBiC4jkiLU+cS/Fy5ds2oMwu DxmQ== X-Gm-Message-State: AOJu0Yxg70/rL+K4SvcCkBAOdItlUB69hFOQQnZss3EZmKghdyTHrbNP KFsLBjLcAWdzqPhhMsBMwPgls7uyvPvV4Eqah9kfw0CKH81W1NXZMUaakQyq4mj9SIKVrl1xTxm Upzp4iZI= X-Gm-Gg: AY/fxX7VAUU87FfmT8Q+Ij7/ynk/+9Wi4d0EPz/Tjhubt40jBrP6Vq6ggFjHkaRtF+C 8PkP2PofQfiSVcpUSIjr0Dslj7j28WbwUlmJfe+AwjMj9Ot/zq3h+CFNStV2PSg+RwIafndc0+d vDb5qUiEvIP+O4vJ4cqHHN0cvYrOsJT6+SDKjKUH6Bzc2YU1ZRaP0WPV1miwUrPtTqcHuxpser+ Oxne/Wc1GNLavveMOsU5D9VBvGlSGyHOzyCN/2G9Z/8fRTrXrE5CFgZKXq30p9yT2PrzCdX/226 7oYAkVdqjn7D0JqEPW73k6/GcDNoXXWlOssh7cjAQevrCbcYbpmlHshH3TO+LJiTOCr58ec3AiE 0VDjWu4e4dWI+ARqfDYK6C0GbBmfGGHNpyH3wu/ogz1U4TusoPxrSNPLD4PeUf+WMIVe4aFF2oH eFZ4TjRKtqkIZdKgsgK9bGNeKoQv+LVYr3 X-Google-Smtp-Source: AGHT+IGy0X+OGLQDgdDikXcFn9jlYQoTV8WyY997EfrrRwvEPhQbHAHdb5GpYui0wrdhLe7IeCljkA== X-Received: by 2002:a05:600c:468b:b0:47a:975b:e3e6 with SMTP id 5b1f17b1804b1-47d195a72a8mr144889155e9.18.1766494482181; Tue, 23 Dec 2025 04:54:42 -0800 (PST) Received: from smtpclient.apple ([185.8.198.100]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4324eaa2bdfsm28402789f8f.32.2025.12.23.04.54.41 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 Dec 2025 04:54:41 -0800 (PST) From: Andrea Cocito Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.700.81\)) Subject: Retrieving the kid/jailname of connected peer for a unix socket Message-Id: <7878EFBC-2BCF-42ED-9BFC-D96DC0DDC23A@cocito.eu> Date: Tue, 23 Dec 2025 13:54:31 +0100 To: freebsd-hackers@freebsd.org X-Mailer: Apple Mail (2.3826.700.81) X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.50 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; R_DKIM_ALLOW(-0.20)[cocito-eu.20230601.gappssmtp.com:s=20230601]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]; DMARC_NA(0.00)[cocito.eu]; DKIM_TRACE(0.00)[cocito-eu.20230601.gappssmtp.com:+]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; FROM_HAS_DN(0.00)[]; MIME_TRACE(0.00)[0:+]; TO_DN_NONE(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org]; APPLE_MAILER_COMMON(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::334:from] X-Rspamd-Queue-Id: 4dbFMv4m5nz44n3 Hello hackers, I am working on a project in which I run a =E2=80=9Cweb server=E2=80=9D = bound to a unix socket; the socket lives in a directory that is = re-mounted as a read only nulls in various jails, so processes in each = jail can make requests to this =E2=80=9Cserver=E2=80=9D. I need the server to be able to know from which jail the request comes, = and this is needed as an authentication method. So far the best I could do is a three-step approach: 1. I retrieve the pid of the process connected to the other side of the = socket: getsockopt(fd, SOL_LOCAL, LOCAL_PEERCRED,=E2=80=A6) 2. I map that pid to a jid: int mib[4] =3D { CTL_KERN, KERN_PROC, = KERN_PROC_PID, static_cast(pid) }; sysctl(mib, 4, &kp, &len, = nullptr, 0) 3. I map the kid to jail name with jail_getname() As LOCAL_PEERCRED returns the peers=E2=80=99 credentials "as they were = captured when the socket connection was established=E2=80=9D and there = could be a small delay before we accept() there is an unlikely but = formally possible TOC-TOU issue that potentially could be exploited as = follows: a. A process with pid P in a jail starts and attempts a connect() b. In the meanwhile a connect-bomb or other =E2=80=9Coverloading=E2=80=9D = technique slows down the server c. Process P passes the fd to process Q and exit()s d. If when we accept() another process (potentially in another jail) has = got pid P... we get the wrong information As a mitigation I am currently resolving fd->credentials->jid->name as = soon as possible server-side and obviously using randomized pids, but = there is still a formal delay in accept() and I understand I am = violating the golden rule =E2=80=9Cdo not use a pid to grant = permissions/authenticate=E2=80=9D. I also tried to investigate other = safety options (like check that pid actually started before the = connection took place) but it seems that nothing from the kernel exposes = the =E2=80=9Ctimestamp when connect() was called=E2=80=9D, so I always = have the connect()-to-accept() windows of risk. So the question is: am I missing some simpler or safer way to get the = "jail id of the process which connected to the other side of this unix = socket", besides embarking into =E2=80=9Cset LOCAL_CREDS_PERSISTENT and = check LOCAL_CREDS on received traffic=E2=80=9D, which would be quite = complex to plumb into Crow-http? Thank you for any comment/hint and have an hacking Christmas.=20 A. PS: I do not consider any TOCTOU between steps 2 and 3 above as I = consider the parent machine =E2=80=9Csafe=E2=80=9D and give for sure = that no-one will create a jail with a different name and the same jid = inbetween,