https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262180
--- Comment #12 from [email protected] --- A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=10b3f2138573da952b4db29f88f6d67cfc3300cd commit 10b3f2138573da952b4db29f88f6d67cfc3300cd Author: Mark Johnston <[email protected]> AuthorDate: 2025-06-24 20:17:07 +0000 Commit: Mark Johnston <[email protected]> CommitDate: 2025-07-29 12:08:32 +0000 file: Add a fd flag with O_RESOLVE_BENEATH semantics The O_RESOLVE_BENEATH openat(2) flag restricts name lookups such that they remain under the directory referenced by the dirfd. This commit introduces an implicit version of the flag, FD_RESOLVE_BENEATH, stored in the file descriptor entry. When the flag is set, any lookup relative to that fd automatically has O_RESOLVE_BENEATH semantics. Furthermore, the flag is sticky, meaning that it cannot be cleared, and it is copied by dup() and openat(). File descriptors with FD_RESOLVE_BENEATH set may not be passed to fchdir(2) or fchroot(2). Various fd lookup routines are modified to return fd flags to the caller. This flag will be used to address a case where jails with different root directories and the ability to pass SCM_RIGHTS messages across the jail boundary can transfer directory fds in such as way as to allow a filesystem escape. PR: 262180 Reviewed by: kib MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D50371 (cherry picked from commit f35525ff2053e026a423e852136d73ed93c95803) lib/libc/sys/fcntl.2 | 63 +++++++++++++++++++---------- sys/fs/fdescfs/fdesc_vnops.c | 4 +- sys/kern/kern_descrip.c | 95 ++++++++++++++++++++++++++++++++------------ sys/kern/uipc_syscalls.c | 2 +- sys/kern/vfs_acl.c | 4 +- sys/kern/vfs_cache.c | 14 +++++-- sys/kern/vfs_extattr.c | 8 ++-- sys/kern/vfs_syscalls.c | 21 +++++++--- sys/sys/fcntl.h | 2 + sys/sys/file.h | 2 +- sys/sys/filedesc.h | 8 +++- sys/sys/namei.h | 1 + 12 files changed, 156 insertions(+), 68 deletions(-) -- You are receiving this mail because: You are the assignee for the bug.
