[Bug 259770] ggate: jail(2) failure error: Unable to jail process in directory /var/empty after stable/12 src ca9ab8ea1774

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 13 Nov 2021 09:21:25 UTC

--- Comment #8 from Fabian Keil <fk@fabiankeil.de> ---
(In reply to Kyle Evans from comment #7)

D'oh. Thanks, Kyle.

Somehow I was under the impression that CLOEXEC would apply to forks
as well but obviously it does not.

Calling "pidfile_close(pfh)" before "g_gate_drop_privs()"
lets jail(2) succeed:

[fk@steffen ~]$ sysctl kern.pwd_chroot_chdir_check_open_directories
kern.pwd_chroot_chdir_check_open_directories: 1
[fk@steffen ~]$ sudo ggated -v -j
info: Listen on port: 3080.
debug: Privileges successfully dropped using jail+setgid+setuid.

You are receiving this mail because:
You are on the CC list for the bug.