aboutsummaryrefslogtreecommitdiff
path: root/RELNOTES
diff options
context:
space:
mode:
authorKyle Evans <kevans@FreeBSD.org>2020-06-04 18:17:25 +0000
committerKyle Evans <kevans@FreeBSD.org>2020-06-04 18:17:25 +0000
commit63619b6dba17f90514355706cea0f825d131d5e4 (patch)
tree390b42ad5c0d08b6897d3c7c5121100657d78a64 /RELNOTES
parentdcef4f65ae3978c50eab745f67364db4660a9f43 (diff)
downloadsrc-63619b6dba17f90514355706cea0f825d131d5e4.tar.gz
src-63619b6dba17f90514355706cea0f825d131d5e4.zip
vfs: add restrictions to read(2) of a directory [2/2]
This commit adds the priv(9) that waters down the sysctl to make it only allow read(2) of a dirfd by the system root. Jailed root is not allowed, but jail policy and superuser policy will abstain from allowing/denying it so that a MAC module can fully control the policy. Such a MAC module has been written, and can be found at: https://people.freebsd.org/~kevans/mac_read_dir-0.1.0.tar.gz It is expected that the MAC module won't be needed by many, as most only need to do such diagnostics that require this behavior as system root anyways. Interested parties are welcome to grab the MAC module above and create a port or locally integrate it, and with enough support it could see introduction to base. As noted in mac_read_dir.c, it is released under the BSD 2 clause license and allows the restrictions to be lifted for only jailed root or for all unprivileged users. PR: 246412 Reviewed by: mckusick, kib, emaste, jilles, cy, phk, imp (all previous) Reviewed by: rgrimes (latest version) Differential Revision: https://reviews.freebsd.org/D24596
Notes
Notes: svn path=/head/; revision=361799
Diffstat (limited to 'RELNOTES')
0 files changed, 0 insertions, 0 deletions