| 1 Apr 2025 |
 artemist | https://man.freebsd.org/cgi/man.cgi?query=unix&apropos=0&sektion=0&manpath=FreeBSD+13.1-RELEASE+and+Ports&arch=default&format=html | 23:27:51 |
 jade_ | of course the other interaction with this that might be hilarious is if freebsd has abstract domain unix sockets, which I think it does because they had to copy linux's bad features for the linux abi thing | 23:28:44 |
| artemist | FreeBSD has a linux compatibility layer so I wouldn't be surprised | 23:30:11 |
| artemist | like, it's sufficiently compatible to run commercial games and software | 23:30:52 |
| jade_ | https://lists.freebsd.org/archives/freebsd-hackers/2021-December/000636.html hm | 23:31:10 |
| jade_ | maybe they did not! | 23:31:13 |
| jade_ | at least it is good that they are proposing "having a security model" for this feature which is a walking CVE | 23:31:33 |
| artemist | ... who the hell thought this was a good idea | 23:32:58 |
| jade_ | I DONT KNOW BUT I DO KNOW HOW MANY CVES THIS FUCKIN THING HAS CAUSED | 23:33:11 |
| jade_ | did you know they are isolated by network namespace on linux??? infinite CVEs in container runtimes... | 23:33:30 |
| artemist | if you're forced to have them then network namespace feels like the least bad place to isolate them, but oh god | 23:34:05 |
| jade_ | no it's not | 23:34:13 |
| artemist | oh, mount namespace? | 23:34:35 |
| jade_ | host netns allowing containers to send each other fds is how you get CVE-2024-27297 | 23:34:45 |
| jade_ | among also docker ones | 23:34:51 |
| artemist | network namespace is where i would expect them to go | 23:35:03 |
| jade_ | CVE-2020-15257 lol | 23:35:14 |
| jade_ | but unix sockets exist as a fd passing primitive and secondarily as a network feature, in my view :) | 23:35:42 |
| jade_ | the fact that you have to shove containers into a netns with NAT if you don't want them sending each other fds is a hilarious linux moment | 23:36:14 |
| artemist | Yeah, that's not the worst interpretation. It makes me think of how systemd is a database for file descriptors | 23:36:49 |
| artemist | sending file descriptors between mount namespaces at all feels sus | 23:37:15 |
| jade_ | it combines somewhat poorly with the userspace nat implementations being all kind of annoying. pasta, slirp4netns, etc | 23:37:17 |
| jade_ | it's ... well. i can see the use case for it in container setup, but it is pretty sketchy | 23:37:42 |
| jade_ | (and i think that it really should only be allowed on inherited fds) | 23:38:06 |
| artemist | I wonder how much would break if I patched linux to disallow abstract sockets | 23:39:28 |
| jade_ | they can be disabled via apparmor and other LSMs | 23:40:22 |
| artemist | sounds boring, i should just use a bpf lsm | 23:40:59 |
 rhelmot | it sounds like the basic consideration is that root-in-jail is the basic ingredient for privesc, though it can be mitigated away. might be something we want to enable with an option only exposed to trusted users | 23:44:32 |
| artemist | Yeah, that's probably a reasonable explanation. There's a lot of weird edge cases to deal with if you have untrusted root | 23:46:33 |
| jade_ | yeah, linux has had infinite kernel bugs because userns root is kind of a security model break, but it's too useful to get rid of | 23:47:03 |
