diff options
| author | Kyle Evans <kevans@FreeBSD.org> | 2026-02-03 04:37:23 +0000 |
|---|---|---|
| committer | Kyle Evans <kevans@FreeBSD.org> | 2026-02-03 04:37:23 +0000 |
| commit | 5c6949e12ee6143505a200b37f2d0bbaf2611656 (patch) | |
| tree | 2077c2a5d70941b1fbbee7df6e9a4f2c20da2141 /include/stab.h | |
| parent | 56b9de5484bc035304290d83fb2dc92d55b98eb4 (diff) | |
kern: disallow user scheduling/debugging/signalling of jailed procsstable/14
Currently, jails are generally ignored when determining whether the
current process/thread can take action upon another, except to determine
if the target's jail is somewhere in the source's hierarchy. Notably,
uid 1001 in a jail (including prison0) can take action upon a process
run by uid 1001 inside of a subordinate jail by default.
While this could be considered a feature at times, it is a scenario
that really should be deliberately crafted; there is no guarantee that
uid 1001 in the parent jail is at all related to uid 1001 in a
subordinate.
This changes introduces three new privileges that grant a process
this kind of insight into other jails:
- PRIV_DEBUG_DIFFJAIL
- PRIV_SCHED_DIFFJAIl
- PRIV_SIGNAL_DIFFJAIL
These can be granted independently or in conjunction with the
accompanying *_DIFFCRED privileges, i.e.:
- PRIV_DEBUG_DIFFCRED alone will let uid 1001 debug uid 1002, but
PRIV_DEBUG_DIFFJAIL is additionally needed to let it debug uid 1002
in a jail.
- PRIV_DEBUG_DIFFJAIL alone will let uid 1001 debug uid 1001 in a jail,
but will not allow it to debug uid 1002 in a jail.
Note that security.bsd.see_jail_proc can be used for similar effects,
but does not prevent a user from learning the pid of a jailed process
with matching creds and signalling it or rescheduling it (e.g., cpuset).
Debugging is restricted by visibility in all cases, so that one is less
of a concern.
This change adds a new jail(8) parameter for the parent to indicate on
a per-jail basis if its users are open to being tampered with by the
parent's unprivileged users: allow.unprivileged_parent_tampering. This
is enabled by default in 14.x, but may be disabled to honor the new
priv(9) checks for earlier testing of the new behavior in FreeBSD 15.x.
Development setups that involve regularly debugging jailed processes
from outside the jail, will want to consider adding a default
`allow.unprivileged_parent_tampering;` to your /etc/jail.conf before
transitioning to 15.x.
Reviewed by: jamie
Relnotes: yes (added, off by default)
(cherry picked from commit 8a5ceebece0311bc41180b3ca0ce7237def1e253)
(cherry picked from commit bd21c672a868f039edb109b73757ad560252ca0f)
Diffstat (limited to 'include/stab.h')
0 files changed, 0 insertions, 0 deletions