From nobody Thu May 07 20:40:21 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gBPJk0xvfz6bwFY
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Thu, 07 May 2026 20:40:22 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gBPJj6vmvz3Np2
	for <dev-commits-src-all@FreeBSD.org>; Thu, 07 May 2026 20:40:21 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1778186422;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=BrkIADxkYIuZDHMtepuLDRtqiIHmtSGzIcwdIU456Zw=;
	b=vVB/K/xPJRdDalo4zNE+2S35O5Zrc07S0uVJdcFP7I6llCsLS8hxM21h+hLLYmRl7aq7Rx
	rYhGMjwSNOy/PYas24hjpfMwcrhzy8nT3S7AAZyIx1UMXKhROsUmH9AlJPNgPgXPAqBAN8
	KqPqRTlmcBH33B4bWzf0PhC7nWzlFAdhK9JIBLIljnvtlwytScdbEdufwdlIo+bAcrOXpU
	iZHW91sgOs7BzcA7OMnGO3/rASXlyi3bm8f+IKjGerd9NQI7NopwJHldtZi8WAas30F6bY
	DtjgMdvZ6g3nRpzEeApgTJHlcuSUcu9htFoNyMht6ShNrGgmOWiMN8Xik/Ia4A==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1778186422; a=rsa-sha256; cv=none;
	b=xR+e8kHZzV2xg5muuTs1SsNVSUpEOYshPMhIbTw3IFK+3Ho07p0FLipsxvKhoGi+rS6rZk
	5cCp7kGOXFCb4G74duueyX3S3aPWwrqH2xsHLloJHMCileTYjxpw2Bd5qQxvCKkWGXuPjn
	0+n3SRC8b7trWdjYLjDn2/XP/IHVpdMDMmiduqNONA08z3wf5gz0EtpBXfq6GaiNnugS4V
	hHaIe6nO9GekNC8Pa0Pe2jUbSE0vwFxViEF+StAU7KohezF7Nfi8bCtMfp49ZIEraW0ffJ
	7YKfjX3anGy3wh/+56Htav6E4jlV1IE5OYLAmPcyNEhogFuztojSG1RR68UV7w==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1778186422;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=BrkIADxkYIuZDHMtepuLDRtqiIHmtSGzIcwdIU456Zw=;
	b=cMW1jxMAqAADgrmoUnIU3WxQxplfVG+sJHVWNfUr7RFARaNosFVgoVmemIKV6m+sQ1tb3U
	0slj0BoBaAmqBASfhBq86SybwgNXXqdlAxzIEkNzS68OPfgDDar8eVUZfnTcRwPJKDHfdv
	HpHi81Q1spjHIkVgilzLpmJC3oiDR/WS4ds09KBy1tsBaSXrzoPPIwU9XbhG7PB4B5+sHe
	Xxe2qLI8wRf+mZBw/tspKJ0gRwXuHGHXI5gvcZBA0+Mqz+oIxfFm75YnKK65WM4q+TVwkL
	ECDqjdvX5mr7NQABc6x5wS7eaNaFJfQPRfydn6KcZDv69Ku2Rb5hPKHzPz9ySA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gBPJj5tzmzj07
	for <dev-commits-src-all@FreeBSD.org>; Thu, 07 May 2026 20:40:21 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 2221d
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Thu, 07 May 2026 20:40:21 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Cc: Jan Bramkamp <crest+freebsd@rlwinm.de>
From: Colin Percival <cperciva@FreeBSD.org>
Subject: git: 38c5d60c367e - releng/15.1 - jail: avoid leaking jail config fds to exec.* hooks
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
List-Id: <dev-commits-src-all.FreeBSD.org>
List-Post: <mailto:dev-commits-src-all@FreeBSD.org>
List-Help: <mailto:dev-commits-src-all+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: cperciva
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/15.1
X-Git-Reftype: branch
X-Git-Commit: 38c5d60c367e788341e059ee3940183c293956ba
Auto-Submitted: auto-generated
Date: Thu, 07 May 2026 20:40:21 +0000
Message-Id: <69fcf8b5.2221d.3c6fd090@gitrepo.freebsd.org>

The branch releng/15.1 has been updated by cperciva:

URL: https://cgit.FreeBSD.org/src/commit/?id=38c5d60c367e788341e059ee3940183c293956ba

commit 38c5d60c367e788341e059ee3940183c293956ba
Author:     Jan Bramkamp <crest+freebsd@rlwinm.de>
AuthorDate: 2026-05-06 23:28:53 +0000
Commit:     Colin Percival <cperciva@FreeBSD.org>
CommitDate: 2026-05-07 20:39:42 +0000

    jail: avoid leaking jail config fds to exec.* hooks
    
    The jail(8) command must not leave parsed configuration files open
    since the file descriptors will be leaked to child processes
    including the untrusted exec.start or exec.stop hooks.
    
    While fopen() doesn't provide direct access to O_CLOEXEC, it does
    provide access to FD_CLOEXEC via "e" in the mode string which
    provides the desired defense in depth against leaking file descriptors
    into exec.* hooks since those always execve() into a shell.
    
    Jail configuration is potentially sensitive and some hooks execute from
    within the jail context, leaving some opening for the jail to exfiltrate
    information about the host environment.
    
    (Commit message wordsmithed by kevans)
    
    Approved by:    re (cperciva)
    PR:             295052
    Reviewed by:    kevans
    
    (cherry picked from commit 276d9b88a9e6fd6fd90e57c36444756ad297d2ab)
    (cherry picked from commit c35bb8ba898482920bf9b57967a9a11f98a89c81)
---
 usr.sbin/jail/config.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/usr.sbin/jail/config.c b/usr.sbin/jail/config.c
index 1bad04ccde68..f1e2da215790 100644
--- a/usr.sbin/jail/config.c
+++ b/usr.sbin/jail/config.c
@@ -321,6 +321,7 @@ static void
 parse_config(const char *cfname, int is_stdin)
 {
 	struct cflex cflex = {.cfname = cfname, .error = 0};
+	FILE *yfp = NULL;
 	void *scanner;
 
 	yylex_init_extra(&cflex, &scanner);
@@ -328,7 +329,7 @@ parse_config(const char *cfname, int is_stdin)
 		cflex.cfname = "STDIN";
 		yyset_in(stdin, scanner);
 	} else {
-		FILE *yfp = fopen(cfname, "r");
+		yfp = fopen(cfname, "re");
 		if (!yfp)
 			err(1, "%s", cfname);
 		yyset_in(yfp, scanner);
@@ -336,6 +337,8 @@ parse_config(const char *cfname, int is_stdin)
 	if (yyparse(scanner) || cflex.error)
 		exit(1);
 	yylex_destroy(scanner);
+	if (yfp != NULL)
+		fclose(yfp);
 }
 
 /*