Re: realpath() leakage and unix socket collision in -o union mounts + jails

On Wed, Oct 08, 2025 at 06:03:42PM +0300, Konstantin Belousov wrote:
> On Wed, Oct 08, 2025 at 09:36:26AM +0200, David 'equinox' Lamparter wrote:
> > On Wed, Oct 08, 2025 at 07:37:49AM +0300, Konstantin Belousov wrote:
> > > On Tue, Oct 07, 2025 at 08:49:27PM +0200, David 'equinox' Lamparter wrote:
> > > > I'm working on a network testing system that uses jails to emulate
> > > > virtual routers.  The test target is == the host here, so I'm using
> > > > union mounts to create a "clone" of the host.  That looks like this:
> > >
> > > What are you trying to achieve by the MNT_UNION flag?
> > > Or rather, do not use union mounts as root for jails.
> > 
> > The test target is the host system.  The user has installed & modified a
> > bunch of things on the host.  I need multiple clones of the host to run
> > as virtual test targets in vnet jails, and repeatedly create & drop
> > these (they exist for about 10 seconds on the shortest tests.)  Note
> > there is no security boundary or requirement, the jail's only purpose is
> > the vnet.
> > 
> > My alternatives are, in order:  unionfs, zfs snapshots, copying the
> > entire system tree.  unionfs works but I was attempting to get away from
> > an unsupported component.
> > 
> > > > Neither of these two issues happens with unionfs (which I've now fallen
> > > > back to using, but AIUI that's entirely unmaintained and unsupported...)
> > > > Could someone investigate these?
> > >
> > > There is nothing to investigate, unix sockets are bypassed for nullfs,
> > > this is feature.
> > 
> > Can I turn off this feature?  Is it documented somewhere?
> 
> No, there is no knob for it.  It is not too hard to add a mount option
> for nullfs.
In fact https://reviews.freebsd.org/D52983

> 
> It is documented in the sense that it is a normal behavior for the
> unix sockets: nullfs bypasses the socket vnode to single instance.