From nobody Mon Oct 02 08:20:43 2023 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RzYmr28j1z4vmHk for ; Mon, 2 Oct 2023 08:20:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RzYmr1kysz4JjM; Mon, 2 Oct 2023 08:20:44 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696234844; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZPnY/y92rRex4RJK37mZTyuRKVvz6aNABTolZk6TixI=; b=Ny2rDlAndb4hUfxFv4Sw3ivGUQ0gZHM6WVRXdJm2RQPIi0q000s+iZdMMIiq/m1CdvbGPw pclLRpQwRgX3hphsGKUq6TGQck8QRckimYIuEH9uuxolzz2A6ck06u7CliCb3dWX3v7/La V65h5OZyNkBBqe7qQqJHIejaD0BHEbLAItzkR5cMr/55uH3cUPHve/cESonco5478f6WOF I0N1i7EI9FTv1RAjpmYh1d6xezKKMEQVu9sP14B08IDv6Ii4dL1nQWC0fOFQgIgNA91JkF oYSLJppUfupMf6xCKIUsMHO5U4uuaYjG2o9OHCYsOvIlLt5oKYEXOqSaHMA8ZA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696234844; a=rsa-sha256; cv=none; b=DSKY7eb7liePynyiUP9Fat5olEr5e9DJm444g2Pp2+89CDalGuIiCy0f31dNDFaY4lj5Df TLtblgztVJAJvEWC1nCdgo93rEJ8UcsUfd5Jr8ykLabeo8PznR0YdTqFHssKgt9y4lfYeb QBGwoVyXMJ39fhJ/bvjDq+HQguQsVLIJvQ3E3OpClqTwiT/w3F6vAARzrQpAewEBvDMiUq x2XAN0atOsKW66r/KLT6V0xnzDh21t/pof2lCpoeMaEqvbSxVmBQNheqNRHS5ev0qjAZWk NsiY2PYhoJrCTSRrV5YTSHMntB4nxzZJ84zRennHMcP4Fkt58/Y/wUAulXH3wg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696234844; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZPnY/y92rRex4RJK37mZTyuRKVvz6aNABTolZk6TixI=; b=nf4sfsnqBBiMenHPPDrNgYZdeltQrSFsa1imHRmsalnk3Fs3y3y5Sx9XQzkj3+rfUB93g6 LghA/cgDEX+Vt5Cg51h4TetM5+kFcMY+YtPkjPqkkhsxzclxRYQZhiRilcQg5w7bfukPIn e0T/iEwH6CxnlJz4x9hcgKqHc0MkiJLXo7w8NHH5ZOAdt5bQwc9h4XsuChuF2mVgkq7mvr MWs/nqq05v2tRLHENONUXTjKGKjCYl8aNycO3di3qEnlcWTUNGGTh7Wtwd2KMRsp9XfnLQ i1uYut1WOIY1B+2pwB78SOUgOpEyguc3Ng5FNDyG3yEHhQgYRLSY8mAmxsmsvA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RzYmr0X1hz14Qc; Mon, 2 Oct 2023 08:20:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3928KheC079327; Mon, 2 Oct 2023 08:20:43 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3928KhSH079324; Mon, 2 Oct 2023 08:20:43 GMT (envelope-from git) Date: Mon, 2 Oct 2023 08:20:43 GMT Message-Id: <202310020820.3928KhSH079324@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Lorenzo Salvadore Subject: git: bfd1b9fc85 - main - Status/2023Q3/process_visibility.adoc: Fixes List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-doc-all@freebsd.org X-BeenThere: dev-commits-doc-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: salvadore X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: bfd1b9fc85b6a3482f8c179ee7747fc89502ad74 Auto-Submitted: auto-generated The branch main has been updated by salvadore: URL: https://cgit.FreeBSD.org/doc/commit/?id=bfd1b9fc85b6a3482f8c179ee7747fc89502ad74 commit bfd1b9fc85b6a3482f8c179ee7747fc89502ad74 Author: Graham Perrin AuthorDate: 2023-10-02 08:18:54 +0000 Commit: Lorenzo Salvadore CommitDate: 2023-10-02 08:20:31 +0000 Status/2023Q3/process_visibility.adoc: Fixes Pull Request: https://github.com/freebsd/freebsd-doc/pull/268 --- .../en/status/report-2023-07-2023-09/process_visibility.adoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/website/content/en/status/report-2023-07-2023-09/process_visibility.adoc b/website/content/en/status/report-2023-07-2023-09/process_visibility.adoc index bbb29cab20..06cf80b33f 100644 --- a/website/content/en/status/report-2023-07-2023-09/process_visibility.adoc +++ b/website/content/en/status/report-2023-07-2023-09/process_visibility.adoc @@ -17,7 +17,7 @@ It can be activated by setting the sysctl `security.bsd.see_other_gids` to 0 (de The third one can prevent an unprivileged user's process from seeing or interacting with processes that are in a jail that is a strict sub-jail of the former. The jail subsystem already prevents such a process to see processes in jails that are not descendant of its own (see man:jail[8] and in particular the section "Hierarchical Jails"). -One possible use of this policy is, in conjunction with the first one above, to hide processes in sub-jails that have the same real UID as some user in an ancestor jail because users having identical UIDs in these different jails are logically considered as actually different users. +One possible use of this policy is, in conjunction with the first one above, to hide processes in sub-jails that have the same real UID as some user in an ancestor jail, because users having identical UIDs in these different jails are logically considered as different users. It can be activated by setting the sysctl `security.bsd.see_jail_proc` to 0 (default is 1). After a review of these policies' code and real world testing, we noticed a number of problems and limitations which prompted us to work on this topic. @@ -26,13 +26,13 @@ After a review of these policies' code and real world testing, we noticed a numb The policy controlled by the `security.bsd.see_jail_proc` sysctl has received the following fixes and improvements: -- Harden the security.bsd.see_jail_proc policy by preventing unauthorized users from attempting to kill, change priority of or debug processes with same (real) UID in a sub-jail at random, which, provided the PID of such a process is guessed correctly, would succeed even if these processes are not visible to them. -- Make this policy overridable by MAC policies, as are the other ones. +- Harden the `security.bsd.see_jail_proc` policy by preventing unauthorized users from attempting to kill, change priority of or debug processes with same (real) UID in a sub-jail at random, which, provided the PID of such a process is guessed correctly, would succeed even if these processes are not visible to them. +- Make this policy overridable by MAC policies, as are the others. The policy controlled by `security.bsd.see_other_gids` was fixed to consider the real group of a process instead of its effective group when determining whether the user trying to access the process is a member of one of the process' groups. The rationale is that some user should continue to see processes it has launched even when they acquire further privileges by virtue of the setgid bit. Conversely, they should not see processes launched by a privileged user that temporarily enters the user's primary group. -This new behavior is consistent with what `security.bsd.see_other_uids` has always been doing for user IDs (i.e., considering some process' real user ID and not the effective one). +This new behavior is consistent with what `security.bsd.see_other_uids` has always been doing for user IDs (i.e., considering some process' real user ID and not the effective ID). We have updated manual pages related to these security policies, including man:security[7], man:sysctl[8], and man:ptrace[2]. Several manual pages of internal functions either implementing or leveraging these policies have also been revamped.