is nfs mount inside jail possible?

Alexander Leidinger Alexander at Leidinger.net
Thu Jun 26 06:06:35 UTC 2008 

Quoting Robert Watson <rwatson at FreeBSD.org> (from Wed, 25 Jun 2008  
17:53:36 +0100 (BST)):

> I don't know of any specific vulnerabilities that will open up, and  
> I don't have time to read the source code to find them now, but I do  
> promise you that if you allow arbitrary mounting of file systems in  
> jail, you will likely run into quite a few, simply because mounting  
> of file systems is a sensitive operation, modifies the file system

I agree, but I put the focus on "arbitrary". What I specially did not  
include in the list was ufs, procfs, fdescfs and some more.

UFS can cause a kernel panic if used with a bad FS image. For procfs  
we even recommend to not mount it in a normal system, and for others I  
don't know if they are robust enough.

For nullfs all depends if it can break out of the jail or not. If it  
can not, I don't see why we should not allow to mount it in a jail.  
Based upon what I've read in the source, it's even easy to test. As it  
gets path names the kernel resolves itself, the test would be to  
modify mount_nullfs to not do the realpath, and test by adding some  
"../" into the path (ok, this is a simplified description, there are  
several cases which have to be tested, but it is not rocked science).

For other FS it depends what they are/do and how robust they are.  
Wasn't there a FS-fuzzing paper a while ago which tested several  
FreeBSD FS for robustness? Very interesting would be the robustness  
for cd9660, msdosfs and udf. Those are candidates which would be  
interesting to use in a jail.

> So, per my comments, I would recommend extreme caution because the  
> implications are very tricky to reason about, requiring careful  
> auditing of source code to ensure that expected protections will  
> continue to be enforced. Caveat emptor.  Beware the dog.  Enter at  
> your own risk.  There be dragons. Run away!

I agree with everything except the "Run away!" :) This is CS, the  
outcome should be deterministic... :)

Bye,
Alexander.

-- 
Man who sleep in beer keg wake up stickey.

http://www.Leidinger.net    Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org       netchild @ FreeBSD.org  : PGP ID = 72077137

More information about the freebsd-jail mailing list