Date: Thu, 07 May 2026 17:27:06 +0000 From: Kyle Evans <kevans@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Jan Bramkamp <crest+freebsd@rlwinm.de> Subject: git: 187de25ef99e - stable/14 - jail: avoid leaking jail config fds to exec.* hooks Message-ID: <69fccb6a.3d178.a311759@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/14 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=187de25ef99e49dd7a6a4bfa630f10ab9571ef17 commit 187de25ef99e49dd7a6a4bfa630f10ab9571ef17 Author: Jan Bramkamp <crest+freebsd@rlwinm.de> AuthorDate: 2026-05-06 23:28:53 +0000 Commit: Kyle Evans <kevans@FreeBSD.org> CommitDate: 2026-05-07 17:27:03 +0000 jail: avoid leaking jail config fds to exec.* hooks The jail(8) command must not leave parsed configuration files open since the file descriptors will be leaked to child processes including the untrusted exec.start or exec.stop hooks. While fopen() doesn't provide direct access to O_CLOEXEC, it does provide access to FD_CLOEXEC via "e" in the mode string which provides the desired defense in depth against leaking file descriptors into exec.* hooks since those always execve() into a shell. Jail configuration is potentially sensitive and some hooks execute from within the jail context, leaving some opening for the jail to exfiltrate information about the host environment. (Commit message wordsmithed by kevans) PR: 295052 Reviewed by: kevans (cherry picked from commit 276d9b88a9e6fd6fd90e57c36444756ad297d2ab) --- usr.sbin/jail/config.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/usr.sbin/jail/config.c b/usr.sbin/jail/config.c index 4465839cba0b..5cf2e34a8340 100644 --- a/usr.sbin/jail/config.c +++ b/usr.sbin/jail/config.c @@ -321,6 +321,7 @@ static void parse_config(const char *cfname, int is_stdin) { struct cflex cflex = {.cfname = cfname, .error = 0}; + FILE *yfp = NULL; void *scanner; yylex_init_extra(&cflex, &scanner); @@ -328,7 +329,7 @@ parse_config(const char *cfname, int is_stdin) cflex.cfname = "STDIN"; yyset_in(stdin, scanner); } else { - FILE *yfp = fopen(cfname, "r"); + yfp = fopen(cfname, "re"); if (!yfp) err(1, "%s", cfname); yyset_in(yfp, scanner); @@ -336,6 +337,8 @@ parse_config(const char *cfname, int is_stdin) if (yyparse(scanner) || cflex.error) exit(1); yylex_destroy(scanner); + if (yfp != NULL) + fclose(yfp); } /*home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69fccb6a.3d178.a311759>