Page MenuHomeFreeBSD

procctl(2): add PROC_NO_NEW_PRIVS_CTL, PROC_NO_NEW_PRIVS_STATUS
ClosedPublic

Authored by trasz on Jun 29 2021, 4:39 PM.

Details

Summary

This introduces a new, per-process flag, "NO_NEW_PRIVS", which
is inherited, preserved on exec, and cannot be cleared. The flag,
when set, makes subsequent execs ignore any SUID and SGID bits,
instead executing those binaries as if they not set.

Main purpose of the flag is implementation of Linux PROC_NO_NEW_PRIVS
prctl(2), and possibly also unpriviledged chroot.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

trasz requested review of this revision.Jun 29 2021, 4:39 PM

compat32 requires handling.
vfs_syscall.c chunk should be a separate commit, perhaps even two commits.

sys/kern/kern_exec.c
789

() != 0

IMO the condition should be merged into previous if()

sys/kern/kern_procctl.c
428

For me, it is too many lines.

if (state != PROC_NO_NEW_PRIS_ENABLE)
   return (EINVAL);
p->p_flag2 |= P2_NO_NEW_PRIVS;
return (0);

Style, add compat32, drop unrelated (well, related, but will be reviewed
separately) chunk.

Handle the man pages notes and bump the date. No need to update the review, I am fine with the code.

lib/libc/sys/procctl.2
569

s/created/activated

571

I do not think that 'descendants' is right. It makes an impression that all existing children get this treatment, which is not true.

Probably a better wording would be '... process and its future descendants'.

583

Either SETUID/SETGID, or SUID/SGID.

590

Don't you missed .El there?

This revision is now accepted and ready to land.Jun 30 2021, 12:27 PM

looks OK to me.

Is there any way to set this bit without writing C-code ? (ie: can it be used from a shell-script ?)

(Ignore that, I just found it in D30940 :-)