Date: Fri, 15 May 2020 14:57:53 -0500 From: Kyle Evans <kevans@freebsd.org> To: "Rodney W. Grimes" <rgrimes@freebsd.org> Cc: "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org>, Poul-Henning Kamp <phk@phk.freebsd.dk> Subject: Re: [HEADSUP] Disallowing read() of a directory fd Message-ID: <CACNAnaH3GkPd%2BNAgFUv4jjc1sFQiSG3c2bmAMqWarUZNzwJHUQ@mail.gmail.com> In-Reply-To: <202005151944.04FJiXmr087925@gndrsh.dnsmgr.net> References: <CACNAnaFE6gzyvwc8kbrX8Oq-h_acVq7wqgQ1P=a3jNpFBGshGw@mail.gmail.com> <202005151944.04FJiXmr087925@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, May 15, 2020 at 2:44 PM Rodney W. Grimes <freebsd@gndrsh.dnsmgr.net> wrote: > > > On Thu, May 14, 2020 at 1:26 PM Kyle Evans <kevans@freebsd.org> wrote: > > > > > > Hi, > > > > > > This is a heads up, given that I'm completely flipping our historical > > > behavior- I intend to commit this review in a couple days' time > > > without substantial objection: https://reviews.freebsd.org/D24596 > > > > > > > Note that the review has been updated to reflect feedback received > > through the course of this discussion. The current version, as of the > > time of writing, instead adds a security.bsd.allow_read_dir > > (defaulting to off) that will allow the system root (*not* jailed > > root) the ability to read(2) a directory if the filesystem supports > > it. A new priv(9), PRIV_VFS_READ_DIR has been added so that anyone > > interested in expanding the scope of the sysctl beyond the system root > > is welcome to implement a MAC policy for it. > > > > rgrimes@ and phk@ have been specifically invited to the review as > > representatives of those opposing the original change, but of course > > anyone is free to add themselves and/or simply chime in with > > constructive objections. > > I did not oppose the change, just asked that the change be knobbed > so that the few rare ones of us that do use this ability do not > have to jump through hoops when we need it to fix a problem. > Apologies, I did not intend to misrepresent your position -- I had interpreted your post as "objection with a path to acceptance" and followed it to that end since I was providing a revised version that aimed to also appeal to your criteria. Thanks, Kyle Evans
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACNAnaH3GkPd%2BNAgFUv4jjc1sFQiSG3c2bmAMqWarUZNzwJHUQ>