Page MenuHomeFreeBSD
Differential D47601

MAC/do: sysctl_rules(): Set the requesting's thread's jail's rules
ClosedPublic
Actions

Authored by olce on Nov 15 2024, 5:07 PM.
Tags
None
Referenced Files
F157076266: D47601.diff
Mon, May 18, 7:25 AM
Unknown Object (File)
Wed, May 13, 2:55 PM
Unknown Object (File)
Mon, May 11, 10:35 PM
Unknown Object (File)
Mon, May 11, 9:44 PM
Unknown Object (File)
Mon, May 11, 9:43 PM
Unknown Object (File)
Tue, Apr 21, 7:24 AM
Unknown Object (File)
Apr 9 2026, 1:54 AM
Unknown Object (File)
Apr 7 2026, 9:18 AM
View All 83 Files
Subscribers
emaste
imp
jlduran
lwhsu

Details

Reviewers
bapt
Commits
rG37a72b0ce427: MAC/do: sysctl_rules(): Set the requesting's thread's jail's rules
rG53d2e0d48549: MAC/do: sysctl_rules(): Set the requesting's thread's jail's rules
Summary

This revision is part of a series. Click on the Stack tab below to see the context.
This series has also been squeezed into D47633 to provide an overall view.

Commit message:
Allowing to change the rules specification on a jail other than the
requesting's thread one is a security issue, as it will immediately
apply to the jail we inherited from and all its other descendants that
inherit from it.

With this change, setting the 'mdo_rules' sysctl in a jail forces that
jail to no more inherit from its parent.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 60592
Build 57476: arc lint + arc unit

Event Timeline

olce created this revision.Nov 15 2024, 5:07 PM
Herald added a subscriber: imp. · View Herald TranscriptNov 15 2024, 5:07 PM
olce requested review of this revision.Nov 15 2024, 5:07 PM
Harbormaster completed remote builds in B60592: Diff 146534.Nov 15 2024, 5:07 PM
olce edited the summary of this revision. (Show Details)Nov 15 2024, 10:44 PM
olce added a parent revision: D47600: MAC/do: sysctl_rules(): Always copy the rules specification string.Nov 15 2024, 10:47 PM
olce added a child revision: D47602: MAC/do: Enable changing 'security.mac.do.rules' from a jail.
olce added a reviewer: bapt.Nov 15 2024, 10:49 PM
olce added subscribers: lwhsu, emaste.Nov 15 2024, 10:52 PM
olce added a subscriber: jlduran.Nov 18 2024, 8:51 AM
bapt accepted this revision.Nov 19 2024, 8:01 AM
This revision is now accepted and ready to land.Nov 19 2024, 8:01 AM
olce closed this revision.Dec 16 2024, 6:26 PM

Committed in rG53d2e0d4854997005271ee60791ab114bd6e0099.

emaste added a commit: rG53d2e0d48549: MAC/do: sysctl_rules(): Set the requesting's thread's jail's rules.Dec 16 2024, 6:29 PM
olce added a commit: rG37a72b0ce427: MAC/do: sysctl_rules(): Set the requesting's thread's jail's rules.Apr 3 2025, 7:34 PM

Revision Contents
Changeset List

PathSize
sys/
security/
mac_do/
6 lines

Diff 146534

View Options

sys/security/mac_do/mac_do.c

Loading...