Diffusion FreeBSD src repository 53d2e0d48549

MAC/do: sysctl_rules(): Set the requesting's thread's jail's rules
53d2e0d48549
Actions

Description

MAC/do: sysctl_rules(): Set the requesting's thread's jail's rules

Allowing to change the rules specification on a jail other than the
requesting's thread one is a security issue, as it will immediately
apply to the jail we inherited from and all its other descendants that
inherit from it.

With this change, setting the 'mdo_rules' sysctl in a jail forces that
jail to no more inherit from its parent.

Reviewed by: bapt
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47601

Details

Provenance

olce	Authored on Jul 3 2024, 12:59 PM

Reviewer

bapt

Differential Revision

D47601: MAC/do: sysctl_rules(): Set the requesting's thread's jail's rules

Parents

rG292c814931d9: MAC/do: sysctl_rules(): Always copy the rules specification string

Branches

Unknown

Tags

Unknown

Event Timeline

olce committed rG53d2e0d48549: MAC/do: sysctl_rules(): Set the requesting's thread's jail's rules (authored by olce).Mon, Dec 16, 2:42 PM

olce mentioned this in D47601: MAC/do: sysctl_rules(): Set the requesting's thread's jail's rules.Mon, Dec 16, 6:26 PM

emaste added an edge: D47601: MAC/do: sysctl_rules(): Set the requesting's thread's jail's rules.Mon, Dec 16, 6:29 PM

Changes (1)

Path

Size

sys/

security/

mac_do/

mac_do.c

rG53d2e0d48549

View Options

sys/security/mac_do/mac_do.c