Page MenuHomeFreeBSD

procctl(2): add PROC_NO_NEW_PRIVS_CTL, PROC_NO_NEW_PRIVS_STATUS
ClosedPublic

Authored by trasz on Jun 29 2021, 4:39 PM.

Details

Summary

This introduces a new, per-process flag, "NO_NEW_PRIVS", which
is inherited, preserved on exec, and cannot be cleared. The flag,
when set, makes subsequent execs ignore any SUID and SGID bits,
instead executing those binaries as if they not set.

Main purpose of the flag is implementation of Linux PROC_NO_NEW_PRIVS
prctl(2), and possibly also unpriviledged chroot.

Diff Detail

Repository
R10 FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

trasz requested review of this revision.Jun 29 2021, 4:39 PM

compat32 requires handling.
vfs_syscall.c chunk should be a separate commit, perhaps even two commits.

sys/kern/kern_exec.c
788

() != 0

IMO the condition should be merged into previous if()

sys/kern/kern_procctl.c
427

For me, it is too many lines.

if (state != PROC_NO_NEW_PRIS_ENABLE)
   return (EINVAL);
p->p_flag2 |= P2_NO_NEW_PRIVS;
return (0);

Style, add compat32, drop unrelated (well, related, but will be reviewed
separately) chunk.

Handle the man pages notes and bump the date. No need to update the review, I am fine with the code.

lib/libc/sys/procctl.2
568

s/created/activated

570

I do not think that 'descendants' is right. It makes an impression that all existing children get this treatment, which is not true.

Probably a better wording would be '... process and its future descendants'.

582

Either SETUID/SETGID, or SUID/SGID.

589

Don't you missed .El there?

This revision is now accepted and ready to land.Jun 30 2021, 12:27 PM

looks OK to me.

Is there any way to set this bit without writing C-code ? (ie: can it be used from a shell-script ?)

(Ignore that, I just found it in D30940 :-)