{
  "finding_id": "DF-0165",
  "guest_uname": "DragonFly dfbsd 6.5-DEVELOPMENT DragonFly v6.5.0.1712.g89e6a-DEVELOPMENT #1: Mon Jun 29 14:18:01 UTC 2026     root@ephemeral-5c2002c44b6c:/usr/obj/usr/src/sys/X86_64_GENERIC  x86_64",
  "code_hash": "9486e5252d97fe9b1d00377ba1ea79eca3c76150522a3df86a865a60c5f93d16",
  "tested_at": "2026-07-01T09:44:32Z",
  "verdict": "REPRODUCED",
  "impact": "jail-policy bypass",
  "confidence": "certain",
  "reproduce": {
    "build": "./build.sh",
    "run": "./run.sh",
    "expected": "all 5 cap-gated actions (raw socket + tmpfs/nullfs/devfs/procfs mount) succeed inside a default-policy jail; on a fixed kernel each returns EPERM"
  },
  "kernel_refs": [
    "sys/kern/kern_caps.c:333",
    "sys/kern/kern_caps.c:334",
    "sys/kern/kern_caps.c:335",
    "sys/kern/kern_caps.c:340",
    "sys/kern/kern_jail.c:854",
    "sys/kern/kern_jail.c:865",
    "sys/kern/kern_jail.c:866",
    "sys/kern/kern_jail.c:872",
    "sys/kern/kern_jail.c:878",
    "sys/kern/kern_jail.c:919",
    "sys/kern/kern_jail.c:923",
    "sys/kern/kern_jail.c:951",
    "sys/kern/kern_jail.c:956",
    "sys/kern/kern_jail.c:961",
    "sys/kern/kern_jail.c:966",
    "sys/kern/kern_jail.c:971",
    "sys/netinet/raw_ip.c:473",
    "sys/kern/vfs_syscalls.c:152",
    "sys/kern/vfs_syscalls.c:157",
    "sys/sys/caps.h:116",
    "sys/sys/caps.h:117",
    "sys/sys/caps.h:137",
    "sys/sys/caps.h:141",
    "sys/sys/caps.h:196",
    "sys/sys/caps.h:223",
    "sys/sys/caps.h:228"
  ],
  "artifacts": [
    {"path": "bypass.c",     "type": "trigger-source", "desc": "self-contained jail-create + gated-action driver; proves cap-corruption bypass"},
    {"path": "build.sh",     "type": "build-script",   "desc": "cc -O2 -Wall -o bypass bypass.c"},
    {"path": "run.sh",       "type": "run-script",     "desc": "echoes jail default-policy sysctls then runs ./bypass"},
    {"path": "build.log",    "type": "build-log",      "desc": "final successful build, full output"},
    {"path": "run.log",      "type": "run-log",        "desc": "decisive run: 5 bypasses observed"},
    {"path": "run.2.log",    "type": "run-log",        "desc": "repeat run for reproducibility"},
    {"path": "run.3.log",    "type": "run-log",        "desc": "third repeat run for reproducibility"},
    {"path": "env.txt",      "type": "environment",    "desc": "uname, cc version, jail default policy sysctls"},
    {"path": "VERDICT.md",   "type": "verdict",        "desc": "full narrative + line-by-line kernel trace + recommended fix"},
    {"path": "README.md",    "type": "readme",         "desc": "what this pack is and how to reproduce"},
    {"path": "manifest.json","type": "manifest",       "desc": "this file"}
  ]
}
