From nobody Mon Feb 12 18:56:07 2024 X-Original-To: fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TYYZc1wyRz5BMwL for ; Mon, 12 Feb 2024 18:56:08 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Received: from spindle.one-eyed-alien.net (spindle.one-eyed-alien.net [199.48.129.229]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4TYYZb4ymsz4rl6 for ; Mon, 12 Feb 2024 18:56:07 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Authentication-Results: mx1.freebsd.org; none Received: by spindle.one-eyed-alien.net (Postfix, from userid 3001) id 453ED3C019A; Mon, 12 Feb 2024 18:56:07 +0000 (UTC) Date: Mon, 12 Feb 2024 18:56:07 +0000 From: Brooks Davis To: Chuck Tuffli Cc: fs@freebsd.org Subject: Re: when is VFCF_JAIL allowed? Message-ID: References: <896c3f19-e758-4e73-aab2-3a69a9534d82@app.fastmail.com> List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <896c3f19-e758-4e73-aab2-3a69a9534d82@app.fastmail.com> X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:36236, ipnet:199.48.128.0/22, country:US] X-Rspamd-Queue-Id: 4TYYZb4ymsz4rl6 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated On Mon, Feb 12, 2024 at 10:41:12AM -0800, Chuck Tuffli wrote: > On Mon, Feb 12, 2024, at 10:16 AM, Brooks Davis wrote: > > On Mon, Feb 12, 2024 at 10:02:01AM -0800, Chuck Tuffli wrote: > > > I was experimenting with a workflow and needed to allow a jail to mount an ISO image. This fails because the cd9660 file system does not set VFCF_JAIL: > > > can be mounted from within a jail if allow.mount and > > > allow.mount. jail parameters are set > > > Is there a reason jails should not be allowed to mount an ISO or is it because no one has added the support? > > > > File systems where the kernel parses a binary disk image aren't generally > > safe because a bad image can corrupt kernel state. It should be safe > > and allowed to mount an ISO via fusefs (not sure if we have a module > > available in ports, but I'd guess so.) > Thanks for the feedback, Brooks. This makes sense, but I must be missing the safety difference between host and the jail. On the host, I can do: > > # mdconfig -a -t vnode -f ./seed.iso -u 1 > # mount_cd9660 /dev/iso9660/cidata /media/ > > Does this not run the same risk of corrupting kernel state, or maybe this is a bug? If you trust the jail completely then there is no difference. If the jail is for isolation then outside you can choose as an administrator to risk corrupting the kernel, but inside you likely don't want to allow that since it could be a jail escape via arbitrary code execution. > I'm also noticing the msdosfs cannot be mounted in a jail either: > > $ lsvfs cd9660 msdosfs > Filesystem Num Refs Flags > -------------------------------- ---------- ----- --------------- > cd9660 0x000000bd 0 read-only > msdosfs 0x00000032 1 > > Is there a similar issue with this file system as well? Same thing. Also with UFS and ext2fs. The IIRC the only disk-based file system that can be mounted is ZFS and that's because root in the jail isn't supplying the underlying bits, instead it's mounting a file system from a previously attached pool. -- Brooks