From nobody Mon Sep 29 17:38:12 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cb7h50GsQz68Yq2; Mon, 29 Sep 2025 17:38:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cb7h46hQDz3Wwc; Mon, 29 Sep 2025 17:38:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1759167493; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=en0iuLTEt4AnoeBl+hhfz/p1q7ARLHLJSrFW41oRW5U=; b=LHFTpj9cilIhff7RB2UrL14iXkxGxgM9A3C9sqxv2sqjknqvvrJFRlvyQCglRYOCWFY9Ho Nm7iEM3gba+FyRsAN8WOBGfZ9d7o3LqYbsa4vhPaTxYtwjY1SsqiAStb9YjZnYZbY+Z4bR MNcPguykaNWt0yu4JJ5VSack7BmL+Vh8H8R0ibxcgWoIS3cUM4Y9/95zXMyh5ZPi0RgVap bfqWtXoIi19+xfPaj38oc3c+wpbMnC2Z26YbUYbHmmkEYcN4H4sUcPgwCchA6d623/NPi7 mWeDeuh7jF5K0aDnZSBXt/L5+KvWgUD/yFc86Dcd7w3AMIr0W/YjUSklnEks0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1759167493; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=en0iuLTEt4AnoeBl+hhfz/p1q7ARLHLJSrFW41oRW5U=; b=L2EcKG4miMd1PjUGroBOGVXbl8utirlVOofpTdD5HwR8ZgG3jTZl9tJ5o6khGMgAOL8U6s HoNyume1/12W9hBG15PRaT3xDDU6ZT1IIvl3Qg50eIjomfjFB4Ty3/mdFXNIOO3qLhwWW6 1KW88vupxMvJEJONrljvBwnnct97ZVU1zFvv4zhqrcP1b37jEe7Uboz5sQ6adkiuUwikq2 xqiV3JJ3nkCfTCfkQPCmJKX0WiuF8yF5Z3eRg6E4aS+q3lRea7DUuo7xXygoc4dxrU9YBm V6TKDzsxBfM1XHXLP7v2Kk4sHXOij6cjcUAco6BWMV96OxyvLCJxXVoku56Inw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1759167493; a=rsa-sha256; cv=none; b=mbCrxTdWWz6kvjPWHrGrtWrtgBFCX+9xewqF+0hczDp0FRkuGnhT7IpIjwmiNjV3m3NXel ZNskf8iCHljddh8VZ1U4rODbDCf7wS8G4DlwN1hKhhQc8SQltG6lSN3Mnn56cs5tHWXFnm ztq7fV9/LiIVmNiGNgS947OehTkVS2w+MZNd5NFvbu1TU/za2V43/nete4CvX5vLdahxiM ovDMXBkyegzCbapBCzf4tFTBQf7U4CV/foxWrlwbPqnlsV0aaXdUvidyiPlsy9fWOWIBL+ qVDc4dndhZ2mavNPZStUMMxobcr/JhNzy5UzfXrOzE39220rWYWwXuF/Q0dWWQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cb7h45njzz1DtD; Mon, 29 Sep 2025 17:38:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 58THcCax061018; Mon, 29 Sep 2025 17:38:12 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 58THcCqC061015; Mon, 29 Sep 2025 17:38:12 GMT (envelope-from git) Date: Mon, 29 Sep 2025 17:38:12 GMT Message-Id: <202509291738.58THcCqC061015@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Olivier Certner Subject: git: 9f269a0a771a - main - MAC/do: Check executable path from the current jail's root List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 9f269a0a771aff4f0a735211907a52c52fc0661b Auto-Submitted: auto-generated The branch main has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=9f269a0a771aff4f0a735211907a52c52fc0661b commit 9f269a0a771aff4f0a735211907a52c52fc0661b Author: Olivier Certner AuthorDate: 2025-09-27 09:56:33 +0000 Commit: Olivier Certner CommitDate: 2025-09-29 17:37:12 +0000 MAC/do: Check executable path from the current jail's root Contrary to my initial belief, vn_fullpath() does return a vnode's path from the current chroot, and not from the global root (which would have been a bug also, but without security consequences). This enables a "confused deputy"-like scenario where a chroot(2) can change which executable can be authorized by MAC/do, which is even more problematic for unprivileged chroot(2). This was found by re-examining the code following two close events: 1. Shawn Webb sent a mail to freebsd-hackers@ on 08/05 saying that in HardenedBSD they had added a check on P2_NO_NEW_PRIVS (in mac_do_priv_grant()), which I responded to on 08/20 saying that P2_NO_NEW_PRIVS was not necessary for mac_do(4), with a correct reasoning but based on the wrong above-mentioned assumption about vn_fullpath(). 2. I reviewed some code by Kushagra Srivastava (GSoC 2025 student working on mac_do(4)/mdo(1)) adding the ability to specify which executables can spawn processes that mac_do(4) may decide to authorize (others are simply ignored), which currently is hardcoded to '/usr/bin/mdo'. MFC after: 3 days Event: EuroBSDCon 2025 Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D52758 --- sys/security/mac_do/mac_do.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c index 6f3e63d06198..2bcff7bba973 100644 --- a/sys/security/mac_do/mac_do.c +++ b/sys/security/mac_do/mac_do.c @@ -1992,6 +1992,10 @@ check_proc(void) /* * Only grant privileges if requested by the right executable. * + * As MAC/do configuration is per-jail, in order to avoid confused + * deputy situations in chroots (privileged or unprivileged), make sure + * to check the path from the current jail's root. + * * XXXOC: We may want to base this check on a tunable path and/or * a specific MAC label. Going even further, e.g., envisioning to * completely replace the path check with the latter, we would need to @@ -2003,7 +2007,7 @@ check_proc(void) * setting a MAC label per file (perhaps via additions to mtree(1)). So * this probably isn't going to happen overnight, if ever. */ - if (vn_fullpath(curproc->p_textvp, &path, &to_free) != 0) + if (vn_fullpath_jail(curproc->p_textvp, &path, &to_free) != 0) return (EPERM); error = strcmp(path, "/usr/bin/mdo") == 0 ? 0 : EPERM; free(to_free, M_TEMP);