Change Details

This is a RFC for two, somewhat related, features: PROC_NO_NEW_PRIVS, and unprivileged chroot(8). There are bits missing, primarily the documentation and proccontrol(1) support, but it shows the idea. Feedback is welcome. PROC_NO_NEW_PRIVS is a flag, set with procctl(2), which makes execve(2) ignore the suid bit. It's semantically the same as Linux PR_SET_NO_NEW_PRIVS prctl(2) option. The flag is inherited and cannot be cleared. Unprivileged chroot, enabled by `security.bsd.unprivileged_chroot`, allows non-root processes to chroot(2), provided they have the NO_NEW_PRIVS flag set. The chroot(8) utility gets a new flag, -n, which sets NO_NEW_PRIVS before chrooting.

This is a RFC for unprivileged chroot(8). All feedback is welcome. This builds on recently introduced NO_NEW_PRIVS flag to implement unprivileged chroot, enabled by `security.bsd.unprivileged_chroot`. It allows non-root processes to chroot(2), provided they have the NO_NEW_PRIVS flag set. The chroot(8) utility gets a new flag, -n, which sets NO_NEW_PRIVS before chrooting.

This is a RFC for two, somewhat related, features: PROC_NO_NEW_PRIVS, and unprivileged chroot(8). There are bits missing, primarily the documentation and proccontrol(1) support, but it shows the idea. FAll feedback is welcome. PROC_NO_NEW_PRIVS is a flag, set with procctl(2), which makes execve(2) ignore the suid bit. It's semantically the same as Linux PR_SET_NO_NEW_PRIVS prctl(2) option. The flag is inherited and cannot be cleared. UThis builds on recently introduced NO_NEW_PRIVS flag to implement unprivileged chroot, enabled by `security.bsd.unprivileged_chroot`, . It allows non-root processes to chroot(2), provided they have the NO_NEW_PRIVS flag set. The chroot(8) utility gets a new flag, -n, which sets NO_NEW_PRIVS before chrooting.