Details

Reviewers

jhb
phk
kib

Group Reviewers

manpages
secteam

Commits

rG460b4b550dc9: Implement unprivileged chroot
rGa40cf4175c90: Implement unprivileged chroot

Summary

This is a RFC for unprivileged chroot(8). All feedback is welcome.

This builds on recently introduced NO_NEW_PRIVS flag to implement unprivileged chroot, enabled by security.bsd.unprivileged_chroot. It allows non-root processes to chroot(2), provided they have the
NO_NEW_PRIVS flag set.

The chroot(8) utility gets a new flag, -n, which sets NO_NEW_PRIVS
before chrooting.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

trasz created this revision.May 5 2021, 7:18 PM

Herald added a subscriber: imp. · View Herald TranscriptMay 5 2021, 7:18 PM

trasz requested review of this revision.May 5 2021, 7:18 PM

Harbormaster completed remote builds in B39036: Diff 88696.May 5 2021, 7:18 PM

trasz mentioned this in D28154: Add compat.linux.setid_allowed knob.May 5 2021, 7:20 PM

jhb added a subscriber: jhb.May 12 2021, 3:34 PM

jhb added inline comments.

sys/kern/kern_exec.c
655 ↗	(On Diff #88696)	This is now redundant as the helper function frees the cred?
sys/kern/vfs_syscalls.c
961

Rebase, improve the consistency of procctl(2) API, and add Linux bits.

Herald added a reviewer: manpages. · View Herald TranscriptJun 7 2021, 1:47 PM

Harbormaster completed remote builds in B39765: Diff 90518.Jun 7 2021, 1:48 PM

trasz marked 2 inline comments as done.Jun 7 2021, 4:48 PM

trasz added reviewers: secteam, jhb, phk.

I'm fine with the two new features proposed individually.

But their linkage has me worried, it is both very blunt, and opaque.

We cannot allow random users to chroot into a tree of their own construction full of captive setuid files.

But how did they get the setuid files in there to begin with, without loosing the setuid bits ?

As far as I can tell, the only way to do that, is to have a writable directory on the same filesystem as the setuid file you want to capture, in which case you can hard-link to it.

It sounds to me like the correct protection is to disallow hardlinking to setuid files, unless you are root or own then ?

And thinking more about it: Why is that even allowed to begin with ?!

I think this needs to be run past the secteam and possibly arch ?

For the purpose of making it easier to review, and eventually commit, parts have been spun off into https://reviews.freebsd.org/D30939 and https://reviews.freebsd.org/D30940. I'll follow up with Linuxulator and chroot bits afterwards.

trasz added a reviewer: kib.Jun 29 2021, 4:45 PM

Regen, improve man page description.

Harbormaster completed remote builds in B40365: Diff 91926.Jul 7 2021, 10:08 AM

trasz retitled this revision from PROC_NO_NEW_PRIVS and `chroot -n` to Unprivileged chroot.Jul 7 2021, 10:09 AM

trasz edited the summary of this revision. (Show Details)

kib added inline comments.Jul 7 2021, 10:29 AM