Implement unprivileged chroot
a40cf4175c90
Actions

Description

Implement unprivileged chroot

This builds on recently introduced NO_NEW_PRIVS flag to implement
unprivileged chroot, enabled by security.bsd.unprivileged_chroot.
It allows non-root processes to chroot(2), provided they have the
NO_NEW_PRIVS flag set.

The chroot(8) utility gets a new flag, -n, which sets NO_NEW_PRIVS
before chrooting.

Reviewed By: kib
Sponsored By: EPSRC
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D30130

Details

Provenance

trasz

Authored on Jul 20 2021, 8:56 AM

Reviewer

kib

Differential Revision

D30130: Unprivileged chroot

Parents

rG27ab791a5519: pf tests: ensure syncookie does not create state

Branches

Unknown

Tags

Unknown

Event Timeline

trasz committed rGa40cf4175c90: Implement unprivileged chroot (authored by trasz).Jul 20 2021, 8:57 AM

trasz added an edge: D30130: Unprivileged chroot.Jul 20 2021, 9:30 AM

debdrup mentioned this in D33909: handbook: Further tweaks to Linuxulator chapter.Jan 16 2022, 6:31 PM

trasz mentioned this in rG460b4b550dc9: Implement unprivileged chroot.Feb 18 2022, 2:52 PM

Changes (3)

Path

Size

sys/

kern/

vfs_syscalls.c

usr.sbin/

chroot/

chroot.8

chroot.c

rGa40cf4175c90

View Options

sys/kern/vfs_syscalls.c

View Options

usr.sbin/chroot/chroot.8

View Options

Implement unprivileged chroota40cf4175c90Actions

Description

Details

Event Timeline

Changes (3)

rGa40cf4175c90

sys/kern/vfs_syscalls.c

usr.sbin/chroot/chroot.8

usr.sbin/chroot/chroot.c

Implement unprivileged chroot
a40cf4175c90
Actions