On 24 Jun 2025, at 23:04, Mark Johnston wrote:
The branch main has been updated by markj:
URL:
https://cgit.FreeBSD.org/src/commit/?id=350ba9672a7f4f16e30534a603df577dfd083b3f
commit 350ba9672a7f4f16e30534a603df577dfd083b3f
Author: Mark Johnston <ma...@freebsd.org>
AuthorDate: 2025-06-24 20:05:37 +0000
Commit: Mark Johnston <ma...@freebsd.org>
CommitDate: 2025-06-24 21:04:24 +0000
unix: Set O_RESOLVE_BENEATH on fds transferred between jails
If a pair of jails with different filesystem roots is able to
exchange
SCM_RIGHTS messages (e.g., using a unix socket in a shared nullfs
mount), a process in one jail can open a directory outside of the
root
of the second jail and then pass the fd to that second jail,
allowing
the receiving process to escape the jail chroot.
Address this using the new FD_RESOLVE_BENEATH flag. When
externalizing
an SCM_RIGHTS message into the receiving process, automatically
set this
flag on all new fds where a jail boundary is crossed. This
ensures that
the receiver cannot do more than access files underneath the
directory;
in particular, the received fd cannot be used to access vnodes not
accessible by the sender.
PR: 262179
Reviewed by: kib
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D50371
---
sys/amd64/conf/SYZKALLER | 5 +++++
sys/kern/uipc_usrreq.c | 31 +++++++++++++++++++++++--------
2 files changed, 28 insertions(+), 8 deletions(-)
diff --git a/sys/amd64/conf/SYZKALLER b/sys/amd64/conf/SYZKALLER
new file mode 100644
index 000000000000..965841313616
--- /dev/null
+++ b/sys/amd64/conf/SYZKALLER
@@ -0,0 +1,5 @@
+include GENERIC-KASAN
+ident SYZKALLER
+
+options COVERAGE
+options KCOV
I think you didn’t intend to include this bit. (Although perhaps it
should be committed in its own commit.)
—
Kristof
