Paths

Table of Contentst

Differential D47601

MAC/do: sysctl_rules(): Set the requesting's thread's jail's rules
Needs ReviewPublic
Actions

Authored by olce on Fri, Nov 15, 5:07 PM.

Tags

None

Referenced Files

None

Subscribers

Details

Reviewers

Summary

This revision is part of a series. Click on the Stack tab below to see the context.
This series has also been squeezed into D47633 to provide an overall view.

Commit message:
Allowing to change the rules specification on a jail other than the
requesting's thread one is a security issue, as it will immediately
apply to the jail we inherited from and all its other descendants that
inherit from it.

With this change, setting the 'mdo_rules' sysctl in a jail forces that
jail to no more inherit from its parent.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 60592
Build 57476: arc lint + arc unit

Event Timeline

olce created this revision.Fri, Nov 15, 5:07 PM

Herald added a subscriber: imp. · View Herald TranscriptFri, Nov 15, 5:07 PM

olce requested review of this revision.Fri, Nov 15, 5:07 PM

Harbormaster completed remote builds in B60592: Diff 146534.Fri, Nov 15, 5:07 PM

olce edited the summary of this revision. (Show Details)Fri, Nov 15, 10:44 PM

olce added a parent revision: D47600: MAC/do: sysctl_rules(): Always copy the rules specification string.Fri, Nov 15, 10:47 PM

olce added a child revision: D47602: MAC/do: Enable changing 'security.mac.do.rules' from a jail.

olce added a reviewer: bapt.Fri, Nov 15, 10:49 PM

olce added subscribers: lwhsu, emaste.Fri, Nov 15, 10:52 PM

Revision Contents
Changeset List

Path

Size

sys/

security/

mac_do/

6 lines

Diff 146534

sys/security/mac_do/mac_do.c

Loading...