From nobody Wed Jun 25 08:56:59 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bRzTR1ZHvz5ytQh; Wed, 25 Jun 2025 11:03:55 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bRzTR0hF3z43dn; Wed, 25 Jun 2025 11:03:55 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1750849435; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=izMZZHuW5MSf9p3NNMii9IrVn3rnB+C2dQ12HO2dQH8=; b=RIN12ODR6SYyFHLbkfTFlCY3xt/nBi7uHEsV5avNONamCVXC2xTSeQ7pCYCYf02/L3GBkN HszV+LFRrZZQ509DMlTv6fWuT5MBnIMax3Pn2LpkqYibcjyqjwskdZ1XBj4dPp0eUL+qx4 isFKsfXDKjLp8NAlUVwZf0HJas1tSxTRKgtitFrecLZwD06dQCKMVECRJvmZdLw1eumIbs P1j0Qf29C5YRz+f6TTHyLWQgcsEebRH51Vpoe0nTRkuJ1KMuofdwYr4FhrY3FoJQX2JKl/ Ea2ncOmUMHyXSSpLakUIs7clEURmuwsauN90sPvxNZ6hm3/cjtf/8fzIh9l9lA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1750849435; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=izMZZHuW5MSf9p3NNMii9IrVn3rnB+C2dQ12HO2dQH8=; b=nV3ZeRdDcygytx/hgXzVLFTvf4+M7IorWSKdh0Pb98nfIz1jxAkPQnf0Z4HXqdO6j5LhvU KW+lrDNyMcgm4aPWmQtZaUCVvA3Hl1bjx5+z7FGXU11nUuzEz17EP5F/yRYCfWsFDygete fw4GQibqcMu0QKzFOZ1leeWxjBuHWHfQAqRSPg8n9uzZLF8PwhOHMPQ0/jU/144BFvTcp8 iAexWFYABe8TXRgMyK8i1FwyW39cnyddUBY0zApuW/n6ZXngQ8lPqDdldZubD+AcS042cX N1RTvAoIHAEPD1pKzkEOiwXypiJ8KE33krdaXZ2I38yk6PepxyL7Z6lFNpGOuQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1750849435; a=rsa-sha256; cv=none; b=aHP0GbobSZEfp98txp30cHHNVDCg93Y0QQ2xuR5GBoJ6XWGSJzdpCM87aGG8w3PH2oJxrz zoxq72cT/n4YRCKAzy8F28XJzjKPnCa585qDVDye4R+CkjtK9XE4sXtKCGiRO7aWmI4XjL WEVeH1lM2kze3BING9lpJe4mEAAxpWGASunUYOdeCaWW/CvqrNVTevhixGx46RbvG36V7x HSU3hLdGeWZ6/eqaovTdBwE5yvS7Op7qy8QSqG/dK6QXAQZa6zSBhbuEwlTXh5AGU9c+jw LbyQ0d3wZH07V2Q2iuM6qpUQqb90k6r8G2/f6XBWuFJupJqS2w/bx73DRnsiRw== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R10" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4bRzTQ5tzWz1BdT; Wed, 25 Jun 2025 11:03:54 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id C489D50E94; Wed, 25 Jun 2025 10:57:01 +0200 (CEST) From: Kristof Provost To: Mark Johnston Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 350ba9672a7f - main - unix: Set O_RESOLVE_BENEATH on fds transferred between jails Date: Wed, 25 Jun 2025 10:56:59 +0200 X-Mailer: MailMate (2.0r6255) Message-ID: <814CBB43-4B0A-41A3-9F4D-84CA3E39A2DC@FreeBSD.org> In-Reply-To: <202506242104.55OL4ZxO085239@gitrepo.freebsd.org> References: <202506242104.55OL4ZxO085239@gitrepo.freebsd.org> List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_MailMate_8BC08770-8A9C-4198-9262-DCD7D3FE3450_=" --=_MailMate_8BC08770-8A9C-4198-9262-DCD7D3FE3450_= Content-Type: text/plain; charset=UTF-8; format=flowed; markup=markdown Content-Transfer-Encoding: quoted-printable On 24 Jun 2025, at 23:04, Mark Johnston wrote: > The branch main has been updated by markj: > > URL: = > https://cgit.FreeBSD.org/src/commit/?id=3D350ba9672a7f4f16e30534a603df5= 77dfd083b3f > > commit 350ba9672a7f4f16e30534a603df577dfd083b3f > Author: Mark Johnston > AuthorDate: 2025-06-24 20:05:37 +0000 > Commit: Mark Johnston > CommitDate: 2025-06-24 21:04:24 +0000 > > unix: Set O_RESOLVE_BENEATH on fds transferred between jails > > If a pair of jails with different filesystem roots is able to = > exchange > SCM_RIGHTS messages (e.g., using a unix socket in a shared nullfs > mount), a process in one jail can open a directory outside of the = > root > of the second jail and then pass the fd to that second jail, = > allowing > the receiving process to escape the jail chroot. > > Address this using the new FD_RESOLVE_BENEATH flag. When = > externalizing > an SCM_RIGHTS message into the receiving process, automatically = > set this > flag on all new fds where a jail boundary is crossed. This = > ensures that > the receiver cannot do more than access files underneath the = > directory; > in particular, the received fd cannot be used to access vnodes not > accessible by the sender. > > PR: 262179 > Reviewed by: kib > MFC after: 3 weeks > Differential Revision: https://reviews.freebsd.org/D50371 > --- > sys/amd64/conf/SYZKALLER | 5 +++++ > sys/kern/uipc_usrreq.c | 31 +++++++++++++++++++++++-------- > 2 files changed, 28 insertions(+), 8 deletions(-) > > diff --git a/sys/amd64/conf/SYZKALLER b/sys/amd64/conf/SYZKALLER > new file mode 100644 > index 000000000000..965841313616 > --- /dev/null > +++ b/sys/amd64/conf/SYZKALLER > @@ -0,0 +1,5 @@ > +include GENERIC-KASAN > +ident SYZKALLER > + > +options COVERAGE > +options KCOV I think you didn=E2=80=99t intend to include this bit. (Although perhaps = it = should be committed in its own commit.) =E2=80=94 Kristof --=_MailMate_8BC08770-8A9C-4198-9262-DCD7D3FE3450_= Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On 24 Jun 2025, at 23:04, Mark Johnston wrote:

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/co= mmit/?id=3D350ba9672a7f4f16e30534a603df577dfd083b3f

commit 350ba9672a7f4f16e30534a603df577dfd083b3f
Author: Mark Johnston markj@Free= BSD.org
AuthorDate: 2025-06-24 20:05:37 +0000
Commit: Mark Johnston markj@Free= BSD.org
CommitDate: 2025-06-24 21:04:24 +0000

un=
ix: Set O_RESOLVE_BENEATH on fds transferred between jails

If a pair of jails with different filesystem roots is able to exchange
SCM_RIGHTS messages (e.g., using a unix socket in a shared nullfs
mount), a process in one jail can open a directory outside of the root
of the second jail and then pass the fd to that second jail, allowing
the receiving process to escape the jail chroot.

Address this using the new FD_RESOLVE_BENEATH flag.  When externalizing
an SCM_RIGHTS message into the receiving process, automatically set this
flag on all new fds where a jail boundary is crossed.  This ensures that
the receiver cannot do more than access files underneath the directory;
in particular, the received fd cannot be used to access vnodes not
accessible by the sender.

PR:             262179
Reviewed by:    kib
MFC after:      3 weeks
Differential Revision:  https://reviews.freebsd.org/D50371

sys/amd64/conf/SYZKALLER | 5 +++++
sys/kern/uipc_usrreq.c | 31 +++++++++++++++++++++++--------
2 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/sys/amd64/conf/SYZKALLER b/sys/amd64/conf/SY= ZKALLER
new file mode 100644
index 000000000000..965841313616
--- /dev/null
+++ b/sys/amd64/conf/SYZKALLER
@@ -0,0 +1,5 @@
+include GENERIC-KASAN
+ident SYZKALLER
+
+options COVERAGE
+options KCOV

I think you didn=E2=80=99t intend to include this bit. (A= lthough perhaps it should be committed in its own commit.)

=E2=80=94
Kristof

--=_MailMate_8BC08770-8A9C-4198-9262-DCD7D3FE3450_=--