upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-11 01:30:30 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

unix: Set O_RESOLVE_BENEATH on fds transferred between jails

Browse source 
If a pair of jails with different filesystem roots is able to exchange
SCM_RIGHTS messages (e.g., using a unix socket in a shared nullfs
mount), a process in one jail can open a directory outside of the root
of the second jail and then pass the fd to that second jail, allowing
the receiving process to escape the jail chroot.

Address this using the new FD_RESOLVE_BENEATH flag.  When externalizing
an SCM_RIGHTS message into the receiving process, automatically set this
flag on all new fds where a jail boundary is crossed.  This ensures that
the receiver cannot do more than access files underneath the directory;
in particular, the received fd cannot be used to access vnodes not
accessible by the sender.

PR:		262179
Reviewed by:	kib
MFC after:	3 weeks
Differential Revision:	https://reviews.freebsd.org/D50371
This commit is contained in:
Mark Johnston 2025-06-24 20:05:37 +00:00
parent f35525ff20
commit 350ba9672a
2 changed files with 28 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
sys/amd64/conf/SYZKALLER Normal file
View file

@ -0,0 +1,5 @@
include GENERIC-KASAN
ident SYZKALLER
options COVERAGE
options KCOV

31
sys/kern/uipc_usrreq.c
View file

@ -56,7 +56,6 @@
* need a proper out-of-band
*/
#include <sys/cdefs.h>
#include "opt_ddb.h"
#include <sys/param.h>
@ -66,6 +65,7 @@
#include <sys/fcntl.h>
#include <sys/file.h>
#include <sys/filedesc.h>
#include <sys/jail.h>
#include <sys/kernel.h>
#include <sys/lock.h>
#include <sys/malloc.h>
@ -3437,22 +3437,34 @@ unp_freerights(struct filedescent **fdep, int fdcount)
free(fdep[0], M_FILECAPS);
}
static bool
restrict_rights(struct file *fp, struct thread *td)
{
struct prison *prison1, *prison2;
prison1 = fp->f_cred->cr_prison;
prison2 = td->td_ucred->cr_prison;
return (prison1 != prison2 && prison1->pr_root != prison2->pr_root &&
prison2 != &prison0);
}
static int
unp_externalize(struct mbuf *control, struct mbuf **controlp, int flags)
{
struct thread *td = curthread; /* XXX */
struct cmsghdr *cm = mtod(control, struct cmsghdr *);
int i;
int *fdp;
struct filedesc *fdesc = td->td_proc->p_fd;
struct filedescent **fdep;
void *data;
socklen_t clen = control->m_len, datalen;
int error, newfds;
int error, fdflags, newfds;
u_int newlen;
UNP_LINK_UNLOCK_ASSERT();
fdflags = (flags & MSG_CMSG_CLOEXEC) ? O_CLOEXEC : 0;
error = 0;
if (controlp != NULL) /* controlp == NULL => free control messages */
*controlp = NULL;
@ -3494,11 +3506,14 @@ unp_externalize(struct mbuf *control, struct mbuf **controlp, int flags)
*controlp = NULL;
goto next;
}
for (i = 0; i < newfds; i++, fdp++) {
_finstall(fdesc, fdep[i]->fde_file, *fdp,
(flags & MSG_CMSG_CLOEXEC) != 0 ? O_CLOEXEC : 0,
&fdep[i]->fde_caps);
unp_externalize_fp(fdep[i]->fde_file);
for (int i = 0; i < newfds; i++, fdp++) {
struct file *fp;
fp = fdep[i]->fde_file;
_finstall(fdesc, fp, *fdp, fdflags |
(restrict_rights(fp, td) ?
O_RESOLVE_BENEATH : 0), &fdep[i]->fde_caps);
unp_externalize_fp(fp);
}
/*