Page MenuHomeFreeBSD
Differential D51708

Some tweaks to kern_chroot(2)
ClosedPublic
Actions

Authored by kib on Aug 2 2025, 6:03 PM.
Tags
None
Referenced Files
F129803254: D51708.id159661.diff
Wed, Sep 24, 2:14 AM
Unknown Object (File)
Fri, Sep 19, 6:23 AM
Unknown Object (File)
Thu, Sep 18, 11:00 AM
Unknown Object (File)
Thu, Sep 18, 6:09 AM
Unknown Object (File)
Thu, Sep 18, 12:18 AM
Unknown Object (File)
Wed, Sep 17, 4:04 PM
Unknown Object (File)
Sat, Sep 13, 1:33 PM
Unknown Object (File)
Thu, Sep 11, 8:16 PM
View All 33 Files
Subscribers
imp
olce

Details

Reviewers
emaste
markj
kevans
Commits
rGcf0f693f0361: vfs_syscall.c: EXTERROR-ise EPERM from chroot(2)
rGa523d882a467: vfs_syscall.c: do not take process lock around the read of P2_NO_NEW_PRIVS
Summary
vfs_syscall.c: do not take process lock around the read of P2_NO_NEW_PRIVS

The flag is write-only, and if we raced with reading the action of
setting the flag, we can as well get it under the lock.


vfs_syscall.c: EXTERROR-ise EPERM from chroot(2)

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

kib created this revision.Aug 2 2025, 6:03 PM
Herald added subscribers: olce, imp. · View Herald TranscriptAug 2 2025, 6:03 PM
kib requested review of this revision.Aug 2 2025, 6:03 PM
emaste accepted this revision.Aug 2 2025, 6:10 PM

Maybe be explicit that unprivileged_chroot is a sysctl/tunable, e.g. security.bsd.unprivileged_chroot sysctl not enabled

This revision is now accepted and ready to land.Aug 2 2025, 6:10 PM
kib updated this revision to Diff 159653.Aug 2 2025, 6:13 PM

EXTERROR msg for disabled sysctl

This revision now requires review to proceed.Aug 2 2025, 6:13 PM
kevans accepted this revision.Aug 2 2025, 6:16 PM
kevans added inline comments.
sys/kern/vfs_syscalls.c
993

I don't feel that strongly here, but I think if I were to read this as someone unfamiliar, my question would be: "How does P2_NO_NEW_PRIVS get set?" -> a string that appears in a manpage to answer that would probably curtail that.

This revision is now accepted and ready to land.Aug 2 2025, 6:16 PM
kevans added inline comments.Aug 2 2025, 6:16 PM
sys/kern/vfs_syscalls.c
993

s/PROCS/PROC/, of course. bah.

kib updated this revision to Diff 159656.Aug 2 2025, 6:30 PM
kib marked 2 inline comments as done.

Use API flag name, not kernel internal flag.

This revision now requires review to proceed.Aug 2 2025, 6:30 PM
emaste accepted this revision.Aug 2 2025, 6:31 PM
This revision is now accepted and ready to land.Aug 2 2025, 6:31 PM
kevans accepted this revision.Aug 2 2025, 6:41 PM
Closed by commit rGa523d882a467: vfs_syscall.c: do not take process lock around the read of P2_NO_NEW_PRIVS (authored by kib). · Explain WhyAug 2 2025, 11:36 PM
This revision was automatically updated to reflect the committed changes.
kib added a commit: rGa523d882a467: vfs_syscall.c: do not take process lock around the read of P2_NO_NEW_PRIVS.
kib added a commit: rGcf0f693f0361: vfs_syscall.c: EXTERROR-ise EPERM from chroot(2).

Revision Contents
Changeset List

PathSize
sys/
kern/
14 lines

Diff 159656

View Options

sys/kern/vfs_syscalls.c

Loading...