[Bug 259770] stable/12: jail(2) failures after ca9ab8ea1774

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 259770] stable/12: jail(2) failures after ca9ab8ea1774"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 12 Nov 2021 00:31:04 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259770

Jamie Gritton <jamie@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|New                         |Open
                 CC|                            |jamie@FreeBSD.org

--- Comment #1 from Jamie Gritton <jamie@FreeBSD.org> ---
At first glance, it does seem legitimate to allow a directory descriptor
limited to CAP_UNLINKAT, and likely enough other similar restrictions, I wonder
if that's something we want to carve out.  I'll admit that I generally like
like the idea of daemons jailing themselves into somewhere like /var/empty, and
would want to encourage such behavior.  And I also see the value in pidfile(3).

But the commit in question was made for security reasons, so I'd want to tread
very carefully here.  For that reason, I've invited the others involved in that
commit to have their say on the matter.

-- 
You are receiving this mail because:
You are the assignee for the bug.