HomeFreeBSD

Implement unprivileged chroot

Description

Implement unprivileged chroot

This builds on recently introduced NO_NEW_PRIVS flag to implement
unprivileged chroot, enabled by security.bsd.unprivileged_chroot.
It allows non-root processes to chroot(2), provided they have the
NO_NEW_PRIVS flag set.

The chroot(8) utility gets a new flag, -n, which sets NO_NEW_PRIVS
before chrooting.

Reviewed By: kib
Sponsored By: EPSRC
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D30130

Details

Provenance
traszAuthored on Jul 20 2021, 8:56 AM
Reviewer
kib
Differential Revision
D30130: Unprivileged chroot
Parents
rG27ab791a5519: pf tests: ensure syncookie does not create state
Branches
Unknown
Tags
Unknown