From nobody Wed May 06 23:29:16 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g9s694TlCz6d23r
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Wed, 06 May 2026 23:29:21 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4g9s693TzYz3Kyr
	for <dev-commits-src-all@FreeBSD.org>; Wed, 06 May 2026 23:29:21 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1778110161;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=5GnVnTd6CkL798zv+7s78DaDXKHml3qOnoxivu9Y7zg=;
	b=EYBd1fgvXhn71d9lWCc2BEvgjiDh413aOxehdKSwco2zHE7Z2Ps+15cuil7AFq36dsFCBq
	sxZjc8sZAo9RUNfd3ZxNUdq9J+L4yQ003hk01j++wibtntAdl1DmCq8e1IY2Y9gLyMPmwB
	ZITOFfK8pj3KKe6v7ViDoqFysw4Iuni6rgpS8jrWt0ppqgHTTlzG5oStYWy6eszX9VreDA
	mk4/hgC2dY+tbRTrolGvNE2BUgAfDlHC1jL3BsHgblIXEc3iMcDkq019f8daliIsckgjrr
	ENEXTw4ufC0HgUZ0JeOth+wUMoWvqeMtq1GEXxcAPnE/vzDF5HCiyohZ7H8LMQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1778110161; a=rsa-sha256; cv=none;
	b=IqNSLiWU5MANEmeSVQTvigOxwnhDGuW6GOle0ZytMYyLQ9Q3/oZUf90ZMwK9mLL2lYYdeZ
	Si+/W0qMYHG1olpiG+/JDjg9PHEV2P5xr0S3w93OZurSIq7aFkrgE/oQceA1I0GGHo1LLw
	7WoE3B19dgPfjdTQNV2M/fyYQs3hr38/9Y+yMQBz200CQfol2653iXtIc6sXzSaFLcw/AK
	d5ndK9xq3zCtZmQk8sVbyQTWCiRxeJrgaGMmd/jLMoKjeH2NXVVjAYcunvsQYlxik9nEka
	DxqQFC8t7F3HwJN6hs0SArTnAMY9haUeW13h2D7QiZx+R721JPHiHEiJ8k/5JA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1778110161;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=5GnVnTd6CkL798zv+7s78DaDXKHml3qOnoxivu9Y7zg=;
	b=kXu/YcwHxarj9kn57ofElLdhKQWYYSlQmv8jmdoLXusaDiiW7qZRsrZqYGbjy77WVV0hL+
	EFr5nC8KHOUE/sa4VutBYh7A3ZNJjAifzXz4F3tNixetwc7H98W8Y+mqE4duCvJwxKfugM
	7APvI/u4VtIoUn9e+ZmhpsWCBgfZgFcinaUVq3DGcZ6Rz2P8DhwZxuYuR8q3QKI6CiyX0I
	YHG9VdnmeRVn6NuGpTP4B5gQccLlO3CBpE2OLGDO8UFjXbA/vVQoPvNpxBCu/DfUaL2Jli
	+JoGVFxoXAp9iMwxRtlZeq3Mi/26eQ2ETfy2dHE5idem5NeiBE5/x2GnlhbBkA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g9s6931sFz10gb
	for <dev-commits-src-all@FreeBSD.org>; Wed, 06 May 2026 23:29:21 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 38660
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Wed, 06 May 2026 23:29:16 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Cc: Jan Bramkamp <crest+freebsd@rlwinm.de>
From: Kyle Evans <kevans@FreeBSD.org>
Subject: git: 276d9b88a9e6 - main - jail: avoid leaking jail config fds to exec.* hooks
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
List-Id: <dev-commits-src-all.FreeBSD.org>
List-Post: <mailto:dev-commits-src-all@FreeBSD.org>
List-Help: <mailto:dev-commits-src-all+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kevans
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 276d9b88a9e6fd6fd90e57c36444756ad297d2ab
Auto-Submitted: auto-generated
Date: Wed, 06 May 2026 23:29:16 +0000
Message-Id: <69fbcecc.38660.478a2629@gitrepo.freebsd.org>

The branch main has been updated by kevans:

URL: https://cgit.FreeBSD.org/src/commit/?id=276d9b88a9e6fd6fd90e57c36444756ad297d2ab

commit 276d9b88a9e6fd6fd90e57c36444756ad297d2ab
Author:     Jan Bramkamp <crest+freebsd@rlwinm.de>
AuthorDate: 2026-05-06 23:28:53 +0000
Commit:     Kyle Evans <kevans@FreeBSD.org>
CommitDate: 2026-05-06 23:28:53 +0000

    jail: avoid leaking jail config fds to exec.* hooks
    
    The jail(8) command must not leave parsed configuration files open
    since the file descriptors will be leaked to child processes
    including the untrusted exec.start or exec.stop hooks.
    
    While fopen() doesn't provide direct access to O_CLOEXEC, it does
    provide access to FD_CLOEXEC via "e" in the mode string which
    provides the desired defense in depth against leaking file descriptors
    into exec.* hooks since those always execve() into a shell.
    
    Jail configuration is potentially sensitive and some hooks execute from
    within the jail context, leaving some opening for the jail to exfiltrate
    information about the host environment.
    
    (Commit message wordsmithed by kevans)
    
    PR:             295052
    Reviewed by:    kevans
    MFC after:      3 days
---
 usr.sbin/jail/config.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/usr.sbin/jail/config.c b/usr.sbin/jail/config.c
index 1bad04ccde68..f1e2da215790 100644
--- a/usr.sbin/jail/config.c
+++ b/usr.sbin/jail/config.c
@@ -321,6 +321,7 @@ static void
 parse_config(const char *cfname, int is_stdin)
 {
 	struct cflex cflex = {.cfname = cfname, .error = 0};
+	FILE *yfp = NULL;
 	void *scanner;
 
 	yylex_init_extra(&cflex, &scanner);
@@ -328,7 +329,7 @@ parse_config(const char *cfname, int is_stdin)
 		cflex.cfname = "STDIN";
 		yyset_in(stdin, scanner);
 	} else {
-		FILE *yfp = fopen(cfname, "r");
+		yfp = fopen(cfname, "re");
 		if (!yfp)
 			err(1, "%s", cfname);
 		yyset_in(yfp, scanner);
@@ -336,6 +337,8 @@ parse_config(const char *cfname, int is_stdin)
 	if (yyparse(scanner) || cflex.error)
 		exit(1);
 	yylex_destroy(scanner);
+	if (yfp != NULL)
+		fclose(yfp);
 }
 
 /*