HomeFreeBSD
Diffusion FreeBSD src repository 7e21c691f295

Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible()
7e21c691f295
Actions

Description

Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible()

As implemented, this security policy would only prevent seeing processes
in sub-jails, but would not prevent sending signals to, changing
priority of or debugging processes in these, enabling attacks where
unprivileged users could tamper with random processes in sub-jails in
particular circumstances (conflated UIDs) despite the policy being
enforced.

Approved by: re (gjb)
PR: 272092
Reviewed by: mhorne
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40628

(cherry picked from commit 5817169bc4a06a35aa5ef7f5ed18f6cb35037e18)
(cherry picked from commit abfcae344feb89c635616769d12150f84c96c003)

Details

Provenance
olceAuthored on Aug 17 2023, 11:54 PM
mhorneCommitted on Oct 18 2023, 5:59 PM
Reviewer
mhorne
Differential Revision
D40628: Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible()
Parents
rG768fe2300987: New cr_bsd_visible(): Whether BSD policies deny seeing subjects/objects
Branches
Unknown
Tags
Unknown

Changes (2)

PathSize
sys/
kern/
netinet/

rG7e21c691f295

View Options

sys/kern/kern_prot.c

Loading...
View Options

sys/netinet/in_prot.c

Loading...