[Bug 272092] The 'see_jail_proc' security policy still allows signaling and debugging sub-jails' processes
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272092 Olivier Certner changed: What|Removed |Added Assignee|j...@freebsd.org|o...@freebsd.org --- Comment #5 from Olivier Certner --- Assign to resolver (me). -- You are receiving this mail because: You are the assignee for the bug.
[Bug 272092] The 'see_jail_proc' security policy still allows signaling and debugging sub-jails' processes
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272092 --- Comment #4 from commit-h...@freebsd.org --- A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=9a4a7e5fb6e901e81c8e64a988358ad4b59464a5 commit 9a4a7e5fb6e901e81c8e64a988358ad4b59464a5 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:38 + Commit: Olivier Certner CommitDate: 2023-12-21 13:36:17 + Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible() As implemented, this security policy would only prevent seeing processes in sub-jails, but would not prevent sending signals to, changing priority of or debugging processes in these, enabling attacks where unprivileged users could tamper with random processes in sub-jails in particular circumstances (conflated UIDs) despite the policy being enforced. PR: 272092 Reviewed by:mhorne Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40628 (cherry picked from commit 5817169bc4a06a35aa5ef7f5ed18f6cb35037e18) Approved by:markj (mentor) sys/kern/kern_prot.c | 25 +++-- sys/netinet/in_prot.c | 4 +--- 2 files changed, 8 insertions(+), 21 deletions(-) -- You are receiving this mail because: You are the assignee for the bug.
[Bug 272092] The 'see_jail_proc' security policy still allows signaling and debugging sub-jails' processes
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272092 Olivier Certner changed: What|Removed |Added Resolution|--- |FIXED Status|Open|Closed -- You are receiving this mail because: You are the assignee for the bug.
[Bug 272092] The 'see_jail_proc' security policy still allows signaling and debugging sub-jails' processes
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272092 --- Comment #3 from commit-h...@freebsd.org --- A commit in branch releng/14.0 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=7e21c691f295b3babc8c57c0aeafa19faf1371b6 commit 7e21c691f295b3babc8c57c0aeafa19faf1371b6 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:38 + Commit: Mitchell Horne CommitDate: 2023-10-18 17:59:51 + Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible() As implemented, this security policy would only prevent seeing processes in sub-jails, but would not prevent sending signals to, changing priority of or debugging processes in these, enabling attacks where unprivileged users could tamper with random processes in sub-jails in particular circumstances (conflated UIDs) despite the policy being enforced. Approved by:re (gjb) PR: 272092 Reviewed by:mhorne Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40628 (cherry picked from commit 5817169bc4a06a35aa5ef7f5ed18f6cb35037e18) (cherry picked from commit abfcae344feb89c635616769d12150f84c96c003) sys/kern/kern_prot.c | 25 +++-- sys/netinet/in_prot.c | 4 +--- 2 files changed, 8 insertions(+), 21 deletions(-) -- You are receiving this mail because: You are the assignee for the bug.
[Bug 272092] The 'see_jail_proc' security policy still allows signaling and debugging sub-jails' processes
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272092 --- Comment #2 from commit-h...@freebsd.org --- A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=e1153205a719c6cb792cb2213a3737ee6b53d59c commit e1153205a719c6cb792cb2213a3737ee6b53d59c Author: Olivier Certner AuthorDate: 2023-08-17 23:54:38 + Commit: Mitchell Horne CommitDate: 2023-10-17 19:42:58 + Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible() As implemented, this security policy would only prevent seeing processes in sub-jails, but would not prevent sending signals to, changing priority of or debugging processes in these, enabling attacks where unprivileged users could tamper with random processes in sub-jails in particular circumstances (conflated UIDs) despite the policy being enforced. PR: 272092 Reviewed by:mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40628 (cherry picked from commit 5817169bc4a06a35aa5ef7f5ed18f6cb35037e18) sys/kern/kern_prot.c | 25 +++-- sys/netinet/in_prot.c | 4 +--- 2 files changed, 8 insertions(+), 21 deletions(-) -- You are receiving this mail because: You are the assignee for the bug.
[Bug 272092] The 'see_jail_proc' security policy still allows signaling and debugging sub-jails' processes
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272092 --- Comment #1 from commit-h...@freebsd.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=5817169bc4a06a35aa5ef7f5ed18f6cb35037e18 commit 5817169bc4a06a35aa5ef7f5ed18f6cb35037e18 Author: Olivier Certner AuthorDate: 2023-08-17 23:54:38 + Commit: Mitchell Horne CommitDate: 2023-09-28 14:59:08 + Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible() As implemented, this security policy would only prevent seeing processes in sub-jails, but would not prevent sending signals to, changing priority of or debugging processes in these, enabling attacks where unprivileged users could tamper with random processes in sub-jails in particular circumstances (conflated UIDs) despite the policy being enforced. PR: 272092 Reviewed by:mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40628 sys/kern/kern_prot.c | 25 +++-- sys/netinet/in_prot.c | 4 +--- 2 files changed, 8 insertions(+), 21 deletions(-) -- You are receiving this mail because: You are the assignee for the bug.
[Bug 272092] The 'see_jail_proc' security policy still allows signaling and debugging sub-jails' processes
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272092 Olivier Certner changed: What|Removed |Added See Also||https://reviews.freebsd.org ||/D40628 -- You are receiving this mail because: You are the assignee for the bug.
[Bug 272092] The 'see_jail_proc' security policy still allows signaling and debugging sub-jails' processes
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272092 Mina Galić changed: What|Removed |Added Assignee|b...@freebsd.org|j...@freebsd.org CC|j...@freebsd.org| Status|New |Open -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug.
[Bug 272092] The 'see_jail_proc' security policy still allows signaling and debugging sub-jails' processes
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272092 Mina Galić changed: What|Removed |Added CC||free...@igalic.co, ||j...@freebsd.org -- You are receiving this mail because: You are on the CC list for the bug.
