Paths

Table of Contentst

Differential D47601

MAC/do: sysctl_rules(): Set the requesting's thread's jail's rules
ClosedPublic
Actions

Authored by olce on Nov 15 2024, 5:07 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Tue, Feb 18, 1:03 AM

	Unknown Object (File)
	Sat, Feb 15, 6:47 PM

	Unknown Object (File)
	Thu, Feb 13, 7:11 AM

	Unknown Object (File)
	Feb 6 2025, 12:28 AM

	Unknown Object (File)
	Jan 30 2025, 2:34 AM

	Unknown Object (File)
	Jan 8 2025, 5:44 AM

	Unknown Object (File)
	Jan 5 2025, 2:19 AM

	Unknown Object (File)
	Jan 3 2025, 8:44 AM

View All 26 Files

Subscribers

Details

Reviewers

Commits

rG53d2e0d48549: MAC/do: sysctl_rules(): Set the requesting's thread's jail's rules

Summary

This revision is part of a series. Click on the Stack tab below to see the context.
This series has also been squeezed into D47633 to provide an overall view.

Commit message:
Allowing to change the rules specification on a jail other than the
requesting's thread one is a security issue, as it will immediately
apply to the jail we inherited from and all its other descendants that
inherit from it.

With this change, setting the 'mdo_rules' sysctl in a jail forces that
jail to no more inherit from its parent.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 60592
Build 57476: arc lint + arc unit

Event Timeline

olce created this revision.Nov 15 2024, 5:07 PM

Herald added a subscriber: imp. · View Herald TranscriptNov 15 2024, 5:07 PM

olce requested review of this revision.Nov 15 2024, 5:07 PM

Harbormaster completed remote builds in B60592: Diff 146534.Nov 15 2024, 5:07 PM

olce edited the summary of this revision. (Show Details)Nov 15 2024, 10:44 PM

olce added a parent revision: D47600: MAC/do: sysctl_rules(): Always copy the rules specification string.Nov 15 2024, 10:47 PM

olce added a child revision: D47602: MAC/do: Enable changing 'security.mac.do.rules' from a jail.

olce added a reviewer: bapt.Nov 15 2024, 10:49 PM

olce added subscribers: lwhsu, emaste.Nov 15 2024, 10:52 PM

olce added a subscriber: jlduran.Nov 18 2024, 8:51 AM

bapt accepted this revision.Nov 19 2024, 8:01 AM

This revision is now accepted and ready to land.Nov 19 2024, 8:01 AM

Committed in rG53d2e0d4854997005271ee60791ab114bd6e0099.

emaste added a commit: rG53d2e0d48549: MAC/do: sysctl_rules(): Set the requesting's thread's jail's rules.Dec 16 2024, 6:29 PM

Revision Contents
Changeset List

Path

Size

sys/

security/

mac_do/

6 lines

Diff 146534

sys/security/mac_do/mac_do.c

Loading...