[Bug 262180] jail escaping via jail-friendly nullfs

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 262180] jail escaping via jal-friendly nullfs"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 28 Mar 2025 11:22:36 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262180

Mark Johnston <markj@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kib@FreeBSD.org,
                   |                            |markj@FreeBSD.org

--- Comment #7 from Mark Johnston <markj@FreeBSD.org> ---
This is a consequence of the way nullfs handles dotdot lookups.  Here, a proc's
cwd is a nullfs vnode, and behind the scenes the corresponding lower vnode is
moved out of the exported directory.  Then, successive dotdot lookups
instantiate nullfs vnodes outside of the nullfs mountpoint.  These get returned
and effectively "cover" the jail's root dir, so the pointer equality check in
vfs_lookup() against ni_rootdir doesn't work because it's comparing the
returned nullfs vnode with a lower vnode.

There is a hack in null_lookup() to handle this kind of situation, and this is
enough to prevent the problem if the process root is also a mountpoint.

To fix this, I think vfs_lookup() either has to compare ni_topdir/ni_rootdir
with "dp" and its aliases, using a VOP implemented by nullfs.  Or, we can start
passing the ndp to VOP_LOOKUP somehow and modify nullfs to perform this check
internally.

-- 
You are receiving this mail because:
You are the assignee for the bug.