In D44373#1032959, @jonathan wrote:@trasz : thanks for sending this review request. My general feeling is that I'm leery of relaxing the in-kernel security model, not just because of the potential for opening things we don't mean to open, but also because it complicates the model for those who are trying to understand it. "No global namespaces", while limiting, is a clearer rule than "no global namespaces unless you or your ancestor has previously called fchroot(2), unless-unless something has also called cap_enter(2) again to clear that magic vnode".
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed Advanced Search
Advanced Search
Advanced Search
Mon, May 27
Mon, May 27
Tue, May 21
Tue, May 21
Sat, May 18
Sat, May 18
(And also an earlier version of this did exactly that wrt idtype, that’s why the title still mentions the “limited subset”; only after that I’ve discovered that you can’t wait for arbitrary PIDs anyway.)
I might be wrong, but isn’t this restriction already there, inherent to wait(2) APIs? You need to use kqueue to wait for non-children?
May 14 2024
May 14 2024
Sigh, a typo.
Man page fix from Brooks.
May 13 2024
May 13 2024
May 2 2024
May 2 2024
Use the right symbol version and bump Dd.
May 1 2024
May 1 2024
There's a separate review for vfork (https://reviews.freebsd.org/D39829). And yeah, I've pasted Robert the link to this one here :)
Add back procstat(1) bits and remove syscalls.map
As for CAP_FCHROOT - I think we should have it, if only for symmetry with CAP_FCHDIR. I don't really want to implement them - the lookup code isn't really suited for tracking rights for root and cwd, and so those two syscalls require full rights to succeed, not just a subset - but we could in the future.
Apr 22 2024
Apr 22 2024
Mar 27 2024
Mar 27 2024
Mar 22 2024
Mar 22 2024
Mar 21 2024
Mar 21 2024
Can you describe the dlopen threat model a bit more? My assumption is, a typical Capsicum-aware app wouldn't be setting the rootdir/curdir at all. Or, if it does, it could call cap_enter(2) again before calling dlopen(3), clearing those vnodes.
Fix panic which occured when the PID is specified explictly.
Also handle wait6(2). Add some documentation. Pacify a test.
I agree this should be documented somewhere, but at the moment wait(2) doesn't mention Capsicum at all, and capsicum(4) doesn't mention wait(2). Perhaps a paragraph in pdfork(2), something along the lines of "processes created with pdfork cannot be waited for by a parent running in capsicum(4) mode"?
Mar 16 2024
Mar 16 2024
Mar 15 2024
Mar 15 2024
trasz added a reviewer for D44372: Allow subset of wait4(2) functionality in Capsicum mode: capsicum.
Dec 27 2023
Dec 27 2023
It appears to be working correctly now. Thank you all :)
Dec 18 2023
Dec 18 2023
I'm not sure what exactly happened here, but I suspect there was something wrong with testing it: while one of previous Kib's commits fixed the instapanic on "automount -c", it still doesn't work, see last few entries at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274992.
Nov 10 2023
Nov 10 2023
Thank you, I think I'm fine with toggling it from "async" to "sync" specifically for msdosfs.
Nov 9 2023
Nov 9 2023
In D42494#969894, @manu wrote:In D42494#969882, @trasz wrote:I’m not a huge fan of this one tbh. I seem to remember I had it like this for a while, and it was 1. Unbearably slow and 2. Increased flash wear and tear.
For 1/ yes it will be slower. But safer.
Doesn't this also enable it by default? If so, it might be a good idea to fix the instapanic it's causing first, https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274992.
Nov 8 2023
Nov 8 2023
I’m not a huge fan of this one tbh. I seem to remember I had it like this for a while, and it was 1. Unbearably slow and 2. Increased flash wear and tear.
Sep 4 2023
Sep 4 2023
In D41564#950112, @brooks wrote:I wonder if a chrootat(fd, path) that allows a NULL path would be more general?
Should there be a flags argument?
Aug 31 2023
Aug 31 2023
Implemented in a better way by https://reviews.freebsd.org/D34426.
Aug 23 2023
Aug 23 2023
Aug 17 2023
Aug 17 2023
trasz added a comment to D38351: [RFC/Proposal] Mechanism for in-kernel AT_FDCWD substitution with provided FD for oblivious sandboxing with Capsicum.
FWIW, I've been playing with this idea on and off, and I have some patches, some of them not even entirely broken :) In particular I have fchroot(2) working: https://reviews.freebsd.org/D41564
Jun 7 2023
Jun 7 2023
Implemented as https://reviews.freebsd.org/D38933.
Apr 26 2023
Apr 26 2023
Apr 22 2023
Apr 22 2023
Apr 12 2023
Apr 12 2023
In D39507#899652, @dchagin wrote:well, the part after a dash is not standart, depends on a distributive, so we can put here any information, and it would be nice to print p_osrel of the current process here.
However, I would propose completely remove the pr_osrelease from struct linux_prison as we have pr_osrel and due to the pr_osrelease was intended to map into the vdso page at the Note section. But its not possible due to jails and can be removed now.
trasz added a comment to D38933: namei: Add the abilty for the ABI to specify an alternate root path.
In D38933#897702, @mjg wrote:I strongly suspect the right way is to have linux binaries auto chrooted to /compat/linux or whatever you are looking up against and then have nullfs mounts inside for /home, /tmp and whatever else which makes sense to share. This avoids any suspicious lookups like failing to find a file in Linux because it is missing when it should not and trying to pick up the FreeBSD one. This also avoids adding any complexity to the kernel.
trasz added a comment to D38351: [RFC/Proposal] Mechanism for in-kernel AT_FDCWD substitution with provided FD for oblivious sandboxing with Capsicum.
Hah, I've been working on something similar, although from a somewhat different, CHERI-related, angle :)
Apr 11 2023
Apr 11 2023
Mar 18 2023
Mar 18 2023
ihor_antonovs.family awarded D7474: Add rc.conf support for foo_daemon="-r". a Like token.
Nov 19 2022
Nov 19 2022
Only tangentially related, but I wonder if this constant shouldn't be defined for arm64 too?
May 19 2022
May 19 2022
My first thought about ENODEV was something about GEOM. ENOENT, on the other hand, would make it obvious what's going on: the root device node is simply not there.
May 18 2022
May 18 2022
I've been burned by this in the past, but I've assumed it's just me. This time, though, there was another person involved, and this made me reconsider. In this case it's not even that it's a remote machine: this is for a homebrew remote management mechanism; essentially we have BeagleBone Blacks hooked up to the actual machines (mechanically they are inside the machines), which provide remote console and virtual media, and halting one of those by mistake - for example when you fail to notice the cu(1) to the "real" machine has been disconnected - results in having to power cycle the whole thing, which is one thing our BBB-based remote management does not provide.
May 16 2022
May 16 2022
May 14 2022
May 14 2022
Linux, it’s a Linux core file :-) The easiest way is to use debootstrap port to bootstrap an Ubuntu Bionic userland, then chroot there and do “apt install gdb”. See https://wiki.freebsd.org/LinuxJails.
I’m not opposed to this patch, but isn’t this what core files are for?
Feb 22 2022
Feb 22 2022
rc.d/linux: Attempt to mount only if necessary
rc: improve dependencies for growfs
Feb 21 2022
Feb 21 2022
trasz committed rGd3f0d2c0eef6: linux: Add additional ptracestop only if the debugger is Linux (authored by trasz).
linux: Add additional ptracestop only if the debugger is Linux
trasz committed R9:754da8344b84: website: Get rid of tables for snapshots in where/ (authored by trasz).
website: Get rid of tables for snapshots in where/
trasz committed rGbb726462cbea: linux: Make PTRACE_GETREGSET return proper buffer size (authored by trasz).
linux: Make PTRACE_GETREGSET return proper buffer size
linux: Fix ptrace panic with ERESTART
linux: Improve debug for PTRACE_GETEVENTMSG
linux: implement PTRACE_EVENT_EXEC
trasz committed rG3b7841de78a3: linux: Make PTRACE_GET_SYSCALL_INFO handle EJUSTRETURN (authored by trasz).
linux: Make PTRACE_GET_SYSCALL_INFO handle EJUSTRETURN
linux: Improve debug for PTRACE_GETREGSET
linux: Implement some bits of PTRACE_PEEKUSER
linux: Improve debugging for PTRACE_GETREGSET