git: df0a1f7054 - main - Status/2023Q3/process_visibility.adoc: Add report

From: Lorenzo Salvadore <>
Date: Thu, 28 Sep 2023 13:27:50 UTC
The branch main has been updated by salvadore:


commit df0a1f7054935dfbfc2cd7d78721e4512be20828
Author:     Olivier Certner <>
AuthorDate: 2023-09-28 12:40:42 +0000
Commit:     Lorenzo Salvadore <>
CommitDate: 2023-09-28 12:42:18 +0000

    Status/2023Q3/process_visibility.adoc: Add report
    Differential Revision:
 .../report-2023-07-2023-09/process_visibility.adoc | 49 ++++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/website/content/en/status/report-2023-07-2023-09/process_visibility.adoc b/website/content/en/status/report-2023-07-2023-09/process_visibility.adoc
new file mode 100644
index 0000000000..bbb29cab20
--- /dev/null
+++ b/website/content/en/status/report-2023-07-2023-09/process_visibility.adoc
@@ -0,0 +1,49 @@
+=== Process Visibility Security Policies
+Links: +
+link:[Start of the reviews stack] URL: link:[]
+Contact: Olivier Certner <>
+==== Context
+FreeBSD implements three built-in security policies that limit which processes are visible to particular users, with the goal of preventing information leaks and unwanted interactions.
+The first one can prevent an unprivileged user from seeing or interacting with processes that do not have the user's UID as their real UID.
+It can be activated by setting the sysctl `security.bsd.see_other_uids` to 0 (default is 1).
+The second one can prevent an unprivileged user from seeing or interacting with processes whose credentials do not have any group that the user is a member of.
+It can be activated by setting the sysctl `security.bsd.see_other_gids` to 0 (default is 1).
+The third one can prevent an unprivileged user's process from seeing or interacting with processes that are in a jail that is a strict sub-jail of the former.
+The jail subsystem already prevents such a process to see processes in jails that are not descendant of its own (see man:jail[8] and in particular the section "Hierarchical Jails").
+One possible use of this policy is, in conjunction with the first one above, to hide processes in sub-jails that have the same real UID as some user in an ancestor jail because users having identical UIDs in these different jails are logically considered as actually different users.
+It can be activated by setting the sysctl `security.bsd.see_jail_proc` to 0 (default is 1).
+After a review of these policies' code and real world testing, we noticed a number of problems and limitations which prompted us to work on this topic.
+==== Changes
+The policy controlled by the `security.bsd.see_jail_proc` sysctl has received the following fixes and improvements:
+- Harden the security.bsd.see_jail_proc policy by preventing unauthorized users from attempting to kill, change priority of or debug processes with same (real) UID in a sub-jail at random, which, provided the PID of such a process is guessed correctly, would succeed even if these processes are not visible to them.
+- Make this policy overridable by MAC policies, as are the other ones.
+The policy controlled by `security.bsd.see_other_gids` was fixed to consider the real group of a process instead of its effective group when determining whether the user trying to access the process is a member of one of the process' groups.
+The rationale is that some user should continue to see processes it has launched even when they acquire further privileges by virtue of the setgid bit.
+Conversely, they should not see processes launched by a privileged user that temporarily enters the user's primary group.
+This new behavior is consistent with what `security.bsd.see_other_uids` has always been doing for user IDs (i.e., considering some process' real user ID and not the effective one).
+We have updated manual pages related to these security policies, including man:security[7], man:sysctl[8], and man:ptrace[2].
+Several manual pages of internal functions either implementing or leveraging these policies have also been revamped.
+==== Status
+Thanks to the help of[Mitchell Horne],[Pau Amma],[Benedict Reuschling] and[Ed Maste], most of the submitted changes have been reviewed and approved, so they should reach the tree soon.
+The patch series starts with[review D40626].
+From there, click on the "Stack" tab to see the full list of reviews implementing the changes.
+As a later step, we are considering turning the `security.bsd.see_jail_proc` policy on by default (i.e., the default value of the sysctl would become 0) unless there are objections.
+Sponsor: Kumacom SAS (for development work) +
+Sponsor: The FreeBSD Foundation (for most of the reviews)