git: 1fcd79ec74 - main - 14.0 relnotes: Additions

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Ed Maste <emaste_at_FreeBSD.org>
Date: Tue, 07 Nov 2023 21:03:27 UTC
The branch main has been updated by emaste:

URL: https://cgit.FreeBSD.org/doc/commit/?id=1fcd79ec744786b6835f141246a2aeed2c01140e

commit 1fcd79ec744786b6835f141246a2aeed2c01140e
Author:     Olivier Certner <olce.freebsd@certner.fr>
AuthorDate: 2023-11-07 09:41:29 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-11-07 21:02:56 +0000

    14.0 relnotes: Additions
    
    - Changes to the 'security.bsd.see_jail_proc' security policy.
    - Changes to the 'security.bsd.see_other_gids' security policy.
    - Zenbleed bug/vulnerability
    
    Reviewed by:            carlavilla, karels
    Sponsored by:           The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D42488
---
 website/content/en/releases/14.0R/relnotes.adoc | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/website/content/en/releases/14.0R/relnotes.adoc b/website/content/en/releases/14.0R/relnotes.adoc
index 8891b0b8bd..deb784cfec 100644
--- a/website/content/en/releases/14.0R/relnotes.adoc
+++ b/website/content/en/releases/14.0R/relnotes.adoc
@@ -444,6 +444,20 @@ Previously, timerfd was only available under Linux emulation.
 For programs written only for FreeBSD, the man:kqueue[2] EVFILT_TIMER filter is preferred for establishing arbitrary timers.
 gitref:af93fea71038[repository=src]
 
+The process visibility policy controlled by the `security.bsd.see_jail_proc` man:sysctl[8] knob was hardened by preventing unauthorized users from attempting to kill, change priority of or debug processes with same (real) UID in a sub-jail at random, which, provided the PID of such a process is guessed correctly, would succeed even if these processes are not visible to them.
+It was also made overridable by MAC policies, as are the other process visibility policies.
+gitref:7e21c691f295[repository=src] gitref:63c01c18a8d3[repository=src] (Sponsored by Kumacom, SAS) (Sponsored by The FreeBSD Foundation)
+
+The process visibility policy controlled by the `security.bsd.see_other_gids` man:sysctl[8] knob was fixed to consider the real group of a process instead of its effective group when determining whether the user trying to access the process is a member of one of the process' groups.
+The rationale is that some user should continue to see processes it has launched even when they acquire further privileges by virtue of the setgid bit, whereas they should not see processes launched by a privileged user that temporarily enters the user's primary group.
+This new behavior is consistent with what `security.bsd.see_other_uids` has always been doing for user IDs (i.e., considering some process' real user ID and not the effective ID).
+gitref:26ff4836c888[repository=src] (Sponsored by Kumacom, SAS) (Sponsored by The FreeBSD Foundation)
+
+The Zenbleed bug affecting AMD Zen2 processors is now automatically mitigated (via chicken bit), preventing misbehavior and data leaks on affected machines.
+If needed, applying the mitigation can be manually controlled via the `machdep.mitigations.zenbleed.enable` man:sysctl[8] knob.
+Please consult the new man:mitigations[7] manual page for more information.
+gitref:aea76bab1416[repository=src] (Sponsored by The FreeBSD Foundation)
+
 [[drivers]]
 == Devices and Drivers