Add mount option to disallow creating sockets on filesystem
Needs ReviewPublic
Actions

Authored by firk_cantconnect.ru on Mar 14 2022, 11:28 PM.

Tags

Referenced Files

	F81672739: D34560.id103855.diff
	Fri, Apr 19, 6:06 PM

	F81672393: D34560.id.diff
	Fri, Apr 19, 6:01 PM

	F81672303: D34560.diff
	Fri, Apr 19, 6:00 PM

	Unknown Object (File)
	Feb 21 2024, 5:09 PM

	Unknown Object (File)
	Dec 20 2023, 7:41 AM

	Unknown Object (File)
	Dec 13 2023, 12:12 AM

	Unknown Object (File)
	Aug 16 2023, 4:39 AM

	Unknown Object (File)
	Jun 27 2023, 1:46 PM

View All 13 Files

Subscribers

dsl

imp

This revision needs review, but there are no reviewers specified.

Details

Reviewers: None

Summary

Added "nosockbind" mountopt, which prevents binding new UNIX domain sockets in the filesystem. The option is intentionally not transparent through nullfs. The original idea was to prevent unwanted and possibly exploitable (may lead to jail escaping,see bugzilla for details) UNIX-socket IPC between two different jails via socket in nullfs-shared directory.

PR: 262179

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

firk_cantconnect.ru created this revision.Mar 14 2022, 11:28 PM

Herald added a subscriber: imp. · View Herald TranscriptMar 14 2022, 11:28 PM

firk_cantconnect.ru requested review of this revision.Mar 14 2022, 11:28 PM

firk_cantconnect.ru retitled this revision from Add mount option to disallow creating socketson filesystem to Add mount option to disallow creating sockets on filesystem.Mar 15 2022, 12:25 AM