Hierarchical jails

Julian Elischer julian at elischer.org
Fri May 15 07:26:33 UTC 2009

Jilles Tjoelker wrote:
> On Thu, May 14, 2009 at 11:12:50AM -0600, Jamie Gritton wrote:
>> There's still a change to offer your input on the new jails before they
>> go in!  OK, given the lack of response so far, it's less "still a
>> chance" than "please?".  Current plans are to have this in place for
>> 8.0, with connections to the ongoing Vimage work.  Hopefully the silence
>> is approval, and commits will likely be appearing soon.
> I have not tried this, but I think this patch may allow jailed roots to
> escape. The problem is that there is only one fd_jdir. The escape would
> go like: jailed root creates a new jail in a subdirectory, opens its /
> and sends the fd to a process in the new jail via a unix domain socket.
> When the process calls fchdir on the fd, it will be able to access ..
> normally.
> With nested chroot, or chroot in jail, this is not possible, because
> fd_jdir always contains the first jail or chroot done and will not allow
> escaping from it; however, root in a level 2 chroot can escape back to
> level 1 using chroot.

this is the old chroot escape.
it is well known and methods exist to stop it.
I can not say what is done here, but your post does remind me to add 
this to the list of things we need to keep in mind.

More information about the freebsd-jail mailing list