[Midnightbsd-cvs] [MidnightBSD/src] 8d7b77: jail security fix -
Lucas Holt
noreply at github.com
Tue Feb 24 20:02:40 EST 2026
Branch: refs/heads/stable/4.0
Home: https://github.com/MidnightBSD/src
Commit: 8d7b7791f117d07f940048cfcb84eaec9a062078
https://github.com/MidnightBSD/src/commit/8d7b7791f117d07f940048cfcb84eaec9a062078
Author: Lucas Holt <luke at foolishgames.com>
Date: 2026-02-24 (Tue, 24 Feb 2026)
Changed paths:
M UPDATING
M sys/compat/cloudabi/cloudabi_fd.c
M sys/fs/fdescfs/fdesc_vnops.c
M sys/kern/kern_descrip.c
M sys/kern/sys_procdesc.c
M sys/kern/uipc_mqueue.c
M sys/kern/uipc_sem.c
M sys/kern/uipc_syscalls.c
M sys/kern/uipc_usrreq.c
M sys/kern/vfs_acl.c
M sys/kern/vfs_cache.c
M sys/kern/vfs_extattr.c
M sys/kern/vfs_syscalls.c
M sys/sys/file.h
M sys/sys/filedesc.h
M sys/sys/namei.h
M sys/sys/procdesc.h
M sys/sys/socketvar.h
M tests/sys/kern/Makefile
M tests/sys/kern/unix_passfd_test.c
Log Message:
-----------
jail security fix -
If two sibling jails are restricted to separate filesystem trees, which is to
say that neither of the two jail root directories is an ancestor of the other,
jailed processes may nonetheless be able to access a shared directory via a
nullfs mount, if the administrator has configured one.
In this case, cooperating processes in the two jails may establish a connection
using a unix domain socket and exchange directory descriptors with each other.
When performing a filesystem name lookup, at each step of the lookup, the
kernel checks whether the lookup would descend below the jail root of the
current process. If the jail root directory is not encountered, the lookup
continues.
Obtained from: FreeBSD
To unsubscribe from these emails, change your notification settings at https://github.com/MidnightBSD/src/settings/notifications
More information about the Midnightbsd-cvs
mailing list