HomeFreeBSD
Diffusion FreeBSD src repository 9a4a7e5fb6e9

Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible()
9a4a7e5fb6e9
Actions

Description

Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible()

As implemented, this security policy would only prevent seeing processes
in sub-jails, but would not prevent sending signals to, changing
priority of or debugging processes in these, enabling attacks where
unprivileged users could tamper with random processes in sub-jails in
particular circumstances (conflated UIDs) despite the policy being
enforced.

PR: 272092
Reviewed by: mhorne
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40628

(cherry picked from commit 5817169bc4a06a35aa5ef7f5ed18f6cb35037e18)

Approved by: markj (mentor)

Details

Provenance
olceAuthored on Aug 17 2023, 11:54 PM
Reviewer
mhorne
Differential Revision
D40628: Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible()
Parents
rG0dafeb5bc874: New cr_bsd_visible(): Whether BSD policies deny seeing subjects/objects
Branches
Unknown
Tags
Unknown

Changes (2)

PathSize
sys/
kern/
netinet/

rG9a4a7e5fb6e9

View Options

sys/kern/kern_prot.c

Loading...
View Options

sys/netinet/in_prot.c

Loading...