Date: Wed, 25 Jun 2025 10:56:59 +0200 From: Kristof Provost <kp@FreeBSD.org> To: Mark Johnston <markj@FreeBSD.org> Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 350ba9672a7f - main - unix: Set O_RESOLVE_BENEATH on fds transferred between jails Message-ID: <814CBB43-4B0A-41A3-9F4D-84CA3E39A2DC@FreeBSD.org> In-Reply-To: <202506242104.55OL4ZxO085239@gitrepo.freebsd.org> References: <202506242104.55OL4ZxO085239@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--=_MailMate_8BC08770-8A9C-4198-9262-DCD7D3FE3450_= Content-Type: text/plain; charset=UTF-8; format=flowed; markup=markdown Content-Transfer-Encoding: quoted-printable On 24 Jun 2025, at 23:04, Mark Johnston wrote: > The branch main has been updated by markj: > > URL: = > https://cgit.FreeBSD.org/src/commit/?id=3D350ba9672a7f4f16e30534a603df5= 77dfd083b3f > > commit 350ba9672a7f4f16e30534a603df577dfd083b3f > Author: Mark Johnston <markj@FreeBSD.org> > AuthorDate: 2025-06-24 20:05:37 +0000 > Commit: Mark Johnston <markj@FreeBSD.org> > CommitDate: 2025-06-24 21:04:24 +0000 > > unix: Set O_RESOLVE_BENEATH on fds transferred between jails > > If a pair of jails with different filesystem roots is able to = > exchange > SCM_RIGHTS messages (e.g., using a unix socket in a shared nullfs > mount), a process in one jail can open a directory outside of the = > root > of the second jail and then pass the fd to that second jail, = > allowing > the receiving process to escape the jail chroot. > > Address this using the new FD_RESOLVE_BENEATH flag. When = > externalizing > an SCM_RIGHTS message into the receiving process, automatically = > set this > flag on all new fds where a jail boundary is crossed. This = > ensures that > the receiver cannot do more than access files underneath the = > directory; > in particular, the received fd cannot be used to access vnodes not > accessible by the sender. > > PR: 262179 > Reviewed by: kib > MFC after: 3 weeks > Differential Revision: https://reviews.freebsd.org/D50371 > --- > sys/amd64/conf/SYZKALLER | 5 +++++ > sys/kern/uipc_usrreq.c | 31 +++++++++++++++++++++++-------- > 2 files changed, 28 insertions(+), 8 deletions(-) > > diff --git a/sys/amd64/conf/SYZKALLER b/sys/amd64/conf/SYZKALLER > new file mode 100644 > index 000000000000..965841313616 > --- /dev/null > +++ b/sys/amd64/conf/SYZKALLER > @@ -0,0 +1,5 @@ > +include GENERIC-KASAN > +ident SYZKALLER > + > +options COVERAGE > +options KCOV I think you didn=E2=80=99t intend to include this bit. (Although perhaps = it = should be committed in its own commit.) =E2=80=94 Kristof --=_MailMate_8BC08770-8A9C-4198-9262-DCD7D3FE3450_= Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <!DOCTYPE html> <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/xhtml; charset=3Dutf-8"= > </head> <body><div style=3D"font-family: sans-serif;"><div class=3D"markdown" sty= le=3D"white-space: normal;"> <p dir=3D"auto">On 24 Jun 2025, at 23:04, Mark Johnston wrote:</p> <blockquote style=3D"margin: 0 0 5px; padding-left: 5px; border-left: 2px= solid #136BCE; color: #136BCE;"> <p dir=3D"auto">The branch main has been updated by markj:</p> <p dir=3D"auto">URL: <a href=3D"https://cgit.FreeBSD.org/src/commit/?id=3D= 350ba9672a7f4f16e30534a603df577dfd083b3f">https://cgit.FreeBSD.org/src/co= mmit/?id=3D350ba9672a7f4f16e30534a603df577dfd083b3f</a></p> <p dir=3D"auto">commit 350ba9672a7f4f16e30534a603df577dfd083b3f<br> Author: Mark Johnston <a href=3D"mailto:markj@FreeBSD.org">markj@Free= BSD.org</a><br> AuthorDate: 2025-06-24 20:05:37 +0000<br> Commit: Mark Johnston <a href=3D"mailto:markj@FreeBSD.org">markj@Free= BSD.org</a><br> CommitDate: 2025-06-24 21:04:24 +0000</p> <pre style=3D"margin-left: 15px; margin-right: 15px; padding: 5px; border= : thin solid gray; overflow-x: auto; max-width: 90vw; background-color: #= E4E4E4;"><code style=3D"padding: 0 0.25em; background-color: #E4E4E4;">un= ix: Set O_RESOLVE_BENEATH on fds transferred between jails If a pair of jails with different filesystem roots is able to exchange SCM_RIGHTS messages (e.g., using a unix socket in a shared nullfs mount), a process in one jail can open a directory outside of the root of the second jail and then pass the fd to that second jail, allowing the receiving process to escape the jail chroot. Address this using the new FD_RESOLVE_BENEATH flag. When externalizing an SCM_RIGHTS message into the receiving process, automatically set this flag on all new fds where a jail boundary is crossed. This ensures that the receiver cannot do more than access files underneath the directory; in particular, the received fd cannot be used to access vnodes not accessible by the sender. PR: 262179 Reviewed by: kib MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D50371 </code></pre> <hr> <p dir=3D"auto">sys/amd64/conf/SYZKALLER | 5 +++++<br> sys/kern/uipc_usrreq.c | 31 +++++++++++++++++++++++--------<br> 2 files changed, 28 insertions(+), 8 deletions(-)</p> <p dir=3D"auto">diff --git a/sys/amd64/conf/SYZKALLER b/sys/amd64/conf/SY= ZKALLER<br> new file mode 100644<br> index 000000000000..965841313616<br> --- /dev/null<br> +++ b/sys/amd64/conf/SYZKALLER<br> @@ -0,0 +1,5 @@<br> +include GENERIC-KASAN<br> +ident SYZKALLER<br> +<br> +options COVERAGE<br> +options KCOV</p> </blockquote> <p dir=3D"auto">I think you didn=E2=80=99t intend to include this bit. (A= lthough perhaps it should be committed in its own commit.)</p> <p dir=3D"auto">=E2=80=94<br> Kristof</p> </div> </div> </body> </html> --=_MailMate_8BC08770-8A9C-4198-9262-DCD7D3FE3450_=--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?814CBB43-4B0A-41A3-9F4D-84CA3E39A2DC>