[Bug 262180] jail escaping via jail-friendly nullfs

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 262180] jail escaping via jal-friendly nullfs"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 23 May 2025 13:04:52 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262180

--- Comment #9 from commit-hook@FreeBSD.org ---
A commit in branch main references this bug:

URL:
https://cgit.FreeBSD.org/src/commit/?id=7587f6d4840f8d363e457cddc14c184cf1fe7cc1

commit 7587f6d4840f8d363e457cddc14c184cf1fe7cc1
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-05-23 12:52:24 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-05-23 13:03:38 +0000

    namei: Make stackable filesystems check harder for jail roots

    Suppose a process has its cwd pointing to a nullfs directory, where the
    lower directory is also visible in the jail's filesystem namespace.
    Suppose that the lower directory vnode is moved out from under the
    nullfs mount.  The nullfs vnode still shadows the lower vnode, and
    dotdot lookups relative to that directory will instantiate new nullfs
    vnodes outside of the nullfs mountpoint, effectively shadowing the lower
    filesystem.

    This phenomenon can be abused to escape a chroot, since the nullfs
    vnodes instantiated by these dotdot lookups defeat the root vnode check
    in vfs_lookup(), which uses vnode pointer equality to test for the
    process root.

    Fix this by extending nullfs and unionfs to perform the same check,
    exploiting the fact that the passed componentname is embedded in a
    nameidata structure to avoid changing the VOP_LOOKUP interface.  That
    is, add a flag to indicate that containerof can be used to get the full
    nameidata structure, and perform the root vnode check on the lower vnode
    when performing a dotdot lookup.

    PR:             262180
    Reviewed by:    olce, kib
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D50418

 share/man/man9/namei.9       |  9 +++++++++
 sys/fs/nullfs/null_vnops.c   | 28 ++++++++++++++++++----------
 sys/fs/unionfs/union_vnops.c | 21 +++++++++++++++++++++
 sys/kern/vfs_cache.c         | 11 +----------
 sys/kern/vfs_lookup.c        | 41 ++++++++++++++++++++++++++++++-----------
 sys/sys/namei.h              |  5 ++++-
 6 files changed, 83 insertions(+), 32 deletions(-)

-- 
You are receiving this mail because:
You are the assignee for the bug.