Re: when is VFCF_JAIL allowed?

In reply to: Chuck Tuffli: "Re: when is VFCF_JAIL allowed?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Brooks Davis <brooks_at_freebsd.org>
Date: Mon, 12 Feb 2024 18:56:07 UTC

On Mon, Feb 12, 2024 at 10:41:12AM -0800, Chuck Tuffli wrote:
> On Mon, Feb 12, 2024, at 10:16 AM, Brooks Davis wrote:
> > On Mon, Feb 12, 2024 at 10:02:01AM -0800, Chuck Tuffli wrote:
> > > I was experimenting with a workflow and needed to allow a jail to mount an ISO image. This fails because the cd9660 file system does not set VFCF_JAIL:
> > >                       can be mounted from within a jail if allow.mount and
> > >                       allow.mount.<vfc_name> jail parameters are set
> > > Is there a reason jails should not be allowed to mount an ISO or is it because no one has added the support?
> > 
> > File systems where the kernel parses a binary disk image aren't generally
> > safe because a bad image can corrupt kernel state.  It should be safe
> > and allowed to mount an ISO via fusefs (not sure if we have a module
> > available in ports, but I'd guess so.)
> Thanks for the feedback, Brooks. This makes sense, but I must be missing the safety difference between host and the jail. On the host, I can do:
> 
> # mdconfig -a -t vnode -f ./seed.iso -u 1
> # mount_cd9660 /dev/iso9660/cidata /media/
> 
> Does this not run the same risk of corrupting kernel state, or maybe this is a bug?

If you trust the jail completely then there is no difference.  If the
jail is for isolation then outside you can choose as an administrator to
risk corrupting the kernel, but inside you likely don't want to allow
that since it could be a jail escape via arbitrary code execution.

> I'm also noticing the msdosfs cannot be mounted in a jail either:
> 
> $ lsvfs cd9660 msdosfs
> Filesystem                              Num  Refs  Flags
> -------------------------------- ---------- -----  ---------------
> cd9660                           0x000000bd     0  read-only
> msdosfs                          0x00000032     1
> 
> Is there a similar issue with this file system as well?

Same thing.  Also with UFS and ext2fs.  The IIRC the only disk-based
file system that can be mounted is ZFS and that's because root in the
jail isn't supplying the underlying bits, instead it's mounting a
file system from a previously attached pool.

-- Brooks