From nobody Mon Sep 13 15:25:55 2021
X-Original-To: jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 7FAAE17B17CE
	for <jail@mlmmj.nyi.freebsd.org>; Mon, 13 Sep 2021 15:25:56 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4H7Vg836T8z4YdB
	for <jail@FreeBSD.org>; Mon, 13 Sep 2021 15:25:56 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3E7C1174A
	for <jail@FreeBSD.org>; Mon, 13 Sep 2021 15:25:56 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 18DFPu8H002255
	for <jail@FreeBSD.org>; Mon, 13 Sep 2021 15:25:56 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 18DFPuWa002254
	for jail@FreeBSD.org; Mon, 13 Sep 2021 15:25:56 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: jail@FreeBSD.org
Subject: [Bug 258364] [jail]Two issues that can easily exhaust the host
 kernel's numvnodes or dp_dirty_total in jail, and may cause DoS attack
Date: Mon, 13 Sep 2021 15:25:55 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Security
X-Bugzilla-Component: Base
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: markj@FreeBSD.org
X-Bugzilla-Status: Open
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: jail@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_status cc assigned_to
Message-ID: <bug-258364-29815-6ikgRWeH1C@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-258364-29815@https.bugs.freebsd.org/bugzilla/>
References: <bug-258364-29815@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@freebsd.org
MIME-Version: 1.0
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258364

Mark Johnston <markj@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|New                         |Open
                 CC|                            |markj@FreeBSD.org
           Assignee|secteam@FreeBSD.org         |jail@FreeBSD.org

--- Comment #1 from Mark Johnston <markj@FreeBSD.org> ---
We do not consider this to be a security bug.  Jails do not provide perfect
resource isolation, and there are many cases beyond the vnode cache and dir=
ty
buffer pool where this is evident.  Any resources utilized by a jail become
unavailable to the host by definition.

In the case of vnodes, numvnodes counts the number of cached vnodes.  This
cache is subject to an eviction policy, so reaching maxvnodes (using mkdir(=
1))
should not prevent the host from opening files.  Similarly, ZFS imposes a l=
imit
on the amount of dirty buffers that may be accumulated, but will (eventuall=
y)
make space for newly dirtied data by flushing.  So I do not think that these
problems result in anything other than a marginal performance degradation,
which appears to agree with your report.

Certainly it's desirable to have some way of limiting consumption of these
resources by a particular jail (e.g., via rctl), but for vnodes at least it=
's
not immediately obvious to me how one would go about that, since filesystem
namespaces are shared with the host.  Opened vnodes are not subject to
reclamation in general but can be limited using rctl.

--=20
You are receiving this mail because:
You are the assignee for the bug.=