is nfs mount inside jail possible?

Alexander Leidinger Alexander at Leidinger.net
Wed Jun 25 16:42:02 UTC 2008 

Quoting Robert Watson <rwatson at FreeBSD.org> (from Wed, 25 Jun 2008  
16:57:17 +0100 (BST)):

> On Wed, 25 Jun 2008, Alexander Leidinger wrote:
>
>> Oh: I haven't checked if this actually works. I don't know if all  
>> places DTRT then. Normally it should work, but you better test if  
>> it really puts the FS in the place where you want it, that you can  
>> mount/umount it, that "mount -v" shows the expected output on the  
>> host and in the jail, and so on.
>>
>> Similar things can be done for  
>> src/sys/fs/{cd9660|msdosfs|ntfs|nullfs|smbfs|udf|unionfs}. Those  
>> are the FS's which _should_ be safe, either because they work with  
>> untrusted data anyway, or because it's a loopback mount. But again,  
>> I haven't tested any of them (I have them patched locally, but even  
>> the initial testing is on my TODO list with a low priority).
>
> Safe in the sense that they might, or might not, immediately panic.   
> Not safe in the sense that the resulting system would necessarily  
> have the expected or desired security properties.  It wouldn't  
> surprise me if, just for example, allowing user mounting of nullfs  
> from within jail allowed the user to escape from the jail and access  
> files outside the jail in the host system.

I just had a look at the man page of nmount (that's what is used to  
mount nullfs, and some other FS's). nmount gets the pathname  
(realpath). realpath prints the path relative to the jail root, not  
the real name in the jail-host. If nmount is not jail aware, then we  
have a meltdown. nmount is using NDINIT/namei. If I read namei/NDINIT  
correctly, it picks the correct path in a jail (else name lookups in a  
jail wouldn't work, right?). Any filesystem which gets a source path  
also needs to use namei (AFAIK, please correct me if I'm wrong), so  
this side of the mounting has the same properties.

For FS's which don't use nmount but the old mount stuff, I don't know.

> Establishing that this is not the case is fairly non-trivial and has  
> to be done very carefully.  I would recommend extreme caution.

At least for nmount based things this would implicitly mean we have a  
_very_ big problem with jails (if my above analysis of the code is  
correct) in other places, as the mountpoint is resolved via namei in  
the kernel.

Bye,
Alexander.

-- 
Personnel recruiting is a triumph of hope over
experience.

http://www.Leidinger.net    Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org       netchild @ FreeBSD.org  : PGP ID = 72077137

More information about the freebsd-jail mailing list