HomeFreeBSD

Implement unprivileged chroot

Description

Implement unprivileged chroot

This builds on recently introduced NO_NEW_PRIVS flag to implement
unprivileged chroot, enabled by security.bsd.unprivileged_chroot.
It allows non-root processes to chroot(2), provided they have the
NO_NEW_PRIVS flag set.

The chroot(8) utility gets a new flag, -n, which sets NO_NEW_PRIVS
before chrooting.

Reviewed By: kib
Sponsored By: EPSRC
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D30130

(cherry picked from commit a40cf4175c90142442d0c6515f6c83956336699b)

Details

Provenance
traszAuthored on Jul 20 2021, 8:56 AM
Reviewer
kib
Differential Revision
D30130: Unprivileged chroot
Parents
rGc428292cb376: libpfctl: fix pfctl_kill_states()
Branches
Unknown
Tags
Unknown