DF-0165 / manifest.json
{ "finding_id": "DF-0165", "guest_uname": "DragonFly dfbsd 6.5-DEVELOPMENT DragonFly v6.5.0.1712.g89e6a-DEVELOPMENT #1: Mon Jun 29 14:18:01 UTC 2026 root@ephemeral-5c2002c44b6c:/usr/obj/usr/src/sys/X86_64_GENERIC x86_64", "code_hash": "9486e5252d97fe9b1d00377ba1ea79eca3c76150522a3df86a865a60c5f93d16", "tested_at": "2026-07-01T09:44:32Z", "verdict": "REPRODUCED", "impact": "jail-policy bypass", "confidence": "certain", "reproduce": { "build": "./build.sh", "run": "./run.sh", "expected": "all 5 cap-gated actions (raw socket + tmpfs/nullfs/devfs/procfs mount) succeed inside a default-policy jail; on a fixed kernel each returns EPERM" }, "kernel_refs": [ "sys/kern/kern_caps.c:333", "sys/kern/kern_caps.c:334", "sys/kern/kern_caps.c:335", "sys/kern/kern_caps.c:340", "sys/kern/kern_jail.c:854", "sys/kern/kern_jail.c:865", "sys/kern/kern_jail.c:866", "sys/kern/kern_jail.c:872", "sys/kern/kern_jail.c:878", "sys/kern/kern_jail.c:919", "sys/kern/kern_jail.c:923", "sys/kern/kern_jail.c:951", "sys/kern/kern_jail.c:956", "sys/kern/kern_jail.c:961", "sys/kern/kern_jail.c:966", "sys/kern/kern_jail.c:971", "sys/netinet/raw_ip.c:473", "sys/kern/vfs_syscalls.c:152", "sys/kern/vfs_syscalls.c:157", "sys/sys/caps.h:116", "sys/sys/caps.h:117", "sys/sys/caps.h:137", "sys/sys/caps.h:141", "sys/sys/caps.h:196", "sys/sys/caps.h:223", "sys/sys/caps.h:228" ], "artifacts": [ {"path": "bypass.c", "type": "trigger-source", "desc": "self-contained jail-create + gated-action driver; proves cap-corruption bypass"}, {"path": "build.sh", "type": "build-script", "desc": "cc -O2 -Wall -o bypass bypass.c"}, {"path": "run.sh", "type": "run-script", "desc": "echoes jail default-policy sysctls then runs ./bypass"}, {"path": "build.log", "type": "build-log", "desc": "final successful build, full output"}, {"path": "run.log", "type": "run-log", "desc": "decisive run: 5 bypasses observed"}, {"path": "run.2.log", "type": "run-log", "desc": "repeat run for reproducibility"}, {"path": "run.3.log", "type": "run-log", "desc": "third repeat run for reproducibility"}, {"path": "env.txt", "type": "environment", "desc": "uname, cc version, jail default policy sysctls"}, {"path": "VERDICT.md", "type": "verdict", "desc": "full narrative + line-by-line kernel trace + recommended fix"}, {"path": "README.md", "type": "readme", "desc": "what this pack is and how to reproduce"}, {"path": "manifest.json","type": "manifest", "desc": "this file"} ] } |