Add mount option to disallow creating sockets on filesystem
Needs ReviewPublic
Actions

Authored by firk_cantconnect.ru on Mar 14 2022, 11:28 PM.

Tags

Referenced Files

	Unknown Object (File)
	Nov 17 2024, 9:35 AM

	Unknown Object (File)
	Oct 11 2024, 9:20 AM

	Unknown Object (File)
	Oct 11 2024, 7:12 AM

	Unknown Object (File)
	Oct 4 2024, 3:31 PM

	Unknown Object (File)
	Oct 4 2024, 6:26 AM

	Unknown Object (File)
	Oct 1 2024, 7:26 PM

	Unknown Object (File)
	Oct 1 2024, 1:17 PM

	Unknown Object (File)
	Oct 1 2024, 3:54 AM

View All 37 Files

Subscribers

dsl

imp

This revision needs review, but there are no reviewers specified.

Details

Reviewers: None

Summary

Added "nosockbind" mountopt, which prevents binding new UNIX domain sockets in the filesystem. The option is intentionally not transparent through nullfs. The original idea was to prevent unwanted and possibly exploitable (may lead to jail escaping,see bugzilla for details) UNIX-socket IPC between two different jails via socket in nullfs-shared directory.

PR: 262179

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

firk_cantconnect.ru created this revision.Mar 14 2022, 11:28 PM

Herald added a subscriber: imp. · View Herald TranscriptMar 14 2022, 11:28 PM

firk_cantconnect.ru requested review of this revision.Mar 14 2022, 11:28 PM

firk_cantconnect.ru retitled this revision from Add mount option to disallow creating socketson filesystem to Add mount option to disallow creating sockets on filesystem.Mar 15 2022, 12:25 AM