[Bug 285782] Jail escape via directory rename outside of jail $path.

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 285782] Jail escape via directory rename outside of jail $path."
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 30 Mar 2025 21:43:32 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=285782

--- Comment #2 from Konstantin Belousov <kib@FreeBSD.org> ---
I suspect this thing can be made into sort-of exploit if nested jails are
enabled.  There, you would replace the 'host' by upper jail, and the jail
is created as subordinate of the upper jail. Then if a process in the sub-
ordinate jail owns the file descriptor pointing to the directory that is
moved out of the hierarchy of the sub-ord (and upper jail can do that),
the process can escape into host namespace.

-- 
You are receiving this mail because:
You are the assignee for the bug.