From owner-freebsd-jail@FreeBSD.ORG Mon May 11 11:06:59 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94CFF106567D for ; Mon, 11 May 2009 11:06:59 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 815F18FC0A for ; Mon, 11 May 2009 11:06:59 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n4BB6xZt086008 for ; Mon, 11 May 2009 11:06:59 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n4BB6wQ2086004 for freebsd-jail@FreeBSD.org; Mon, 11 May 2009 11:06:58 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 11 May 2009 11:06:58 GMT Message-Id: <200905111106.n4BB6wQ2086004@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 May 2009 11:07:00 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/132092 jail [jail] jail can listen on *:port when jail_socket_unix o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 5 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon May 11 16:31:23 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E0E161065672 for ; Mon, 11 May 2009 16:31:23 +0000 (UTC) (envelope-from nbari@k9.cx) Received: from exprod7og127.obsmtp.com (exprod7og127.obsmtp.com [64.18.2.210]) by mx1.freebsd.org (Postfix) with SMTP id D795A8FC0C for ; Mon, 11 May 2009 16:31:22 +0000 (UTC) (envelope-from nbari@k9.cx) Received: from source ([72.14.220.152]) by exprod7ob127.postini.com ([64.18.6.12]) with SMTP ID DSNKSghS2U2k1w0yG4AimvOfa51RPhY4kXxm@postini.com; Mon, 11 May 2009 09:31:23 PDT Received: by fg-out-1718.google.com with SMTP id 22so941792fge.19 for ; Mon, 11 May 2009 09:31:21 -0700 (PDT) MIME-Version: 1.0 Received: by 10.86.91.3 with SMTP id o3mr6640154fgb.40.1242057508173; Mon, 11 May 2009 08:58:28 -0700 (PDT) Date: Mon, 11 May 2009 10:58:28 -0500 Message-ID: <143912190905110858q5185fc11hb686ecea968ba485@mail.gmail.com> From: Nicolas de Bari Embriz Garcia Rojas To: freebsd-jail@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: security.jail.allow_raw_sockets per jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 May 2009 16:31:24 -0000 Hi, It is possible to set security.jail.allow_raw_sockets=0 per jails instead of all the jails ? regards. -- > nbari.tel From owner-freebsd-jail@FreeBSD.ORG Mon May 11 17:51:50 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2E7D1065675 for ; Mon, 11 May 2009 17:51:50 +0000 (UTC) (envelope-from espartano.mail@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.155]) by mx1.freebsd.org (Postfix) with ESMTP id 339E48FC0C for ; Mon, 11 May 2009 17:51:49 +0000 (UTC) (envelope-from espartano.mail@gmail.com) Received: by fg-out-1718.google.com with SMTP id e12so582714fga.12 for ; Mon, 11 May 2009 10:51:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=Iq/W+QMAf+s09hXvJXkQ6Z7T97LMUJpJnTOBSP6P6qE=; b=bF2Zk1aoFI3kT02Ox6Z7zUdSy22pRGgcBVTnmN+mYGrevhALL28Rxf1xKZgOIJxbB+ 0Kkhzg/deXyFYlDn4Q1Ee+bTMzMg2nB5QjjiLjnts8/qfDxZVoh3glKRF/TgeIhsahN5 13YREJJf0CpeLE67//IYNgdB4Z4VAYlPydLBU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=xOFGQS2ENP6mB0NuD7SfKUg+7uI9bFz4fgwb+7Vq7rSUjCBGK1caWq49KnUx+kgyJY sMxnZ52dSNUgmDz30uF3SAv0lFYeUIdBii0gfd1kAXqcyUtnj3vUQcnGHPSFQZs1s4yZ /8scNSrwfrisznjW7P0U51K/HX7NciD3MPc4g= MIME-Version: 1.0 Received: by 10.86.81.15 with SMTP id e15mr6761744fgb.2.1242062788997; Mon, 11 May 2009 10:26:28 -0700 (PDT) In-Reply-To: <143912190905110858q5185fc11hb686ecea968ba485@mail.gmail.com> References: <143912190905110858q5185fc11hb686ecea968ba485@mail.gmail.com> Date: Mon, 11 May 2009 12:26:28 -0500 Message-ID: From: Espartano To: Nicolas de Bari Embriz Garcia Rojas Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org Subject: Re: security.jail.allow_raw_sockets per jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 May 2009 17:51:50 -0000 On Mon, May 11, 2009 at 10:58 AM, Nicolas de Bari Embriz Garcia Rojas wrote: > Hi, It is possible to set security.jail.allow_raw_sockets=0 per jails > instead of all the jails ? > > regards. > > -- I think that the answer is NO :( -- "Linux is for people who hate Windows, BSD is for people who love UNIX". "Documentation is like sex: when it is good, it is very, very good; and when it is bad, it is better than nothing." My personal webblog http://people.linuxreal.org/espartano/blog/ Sent from Cordoba, Ver, Mexico From owner-freebsd-jail@FreeBSD.ORG Thu May 14 17:12:57 2009 Return-Path: Delivered-To: jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7012B106567F; Thu, 14 May 2009 17:12:57 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [161.58.222.4]) by mx1.freebsd.org (Postfix) with ESMTP id 1BA158FC29; Thu, 14 May 2009 17:12:56 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by gritton.org (8.13.6.20060614/8.13.6) with ESMTP id n4EHCtVb038375; Thu, 14 May 2009 11:12:55 -0600 (MDT) Message-ID: <4A0C5112.9010103@FreeBSD.org> Date: Thu, 14 May 2009 11:12:50 -0600 From: Jamie Gritton User-Agent: Thunderbird 2.0.0.19 (X11/20090109) MIME-Version: 1.0 To: jail@FreeBSD.org, virtualization@FreeBSD.org References: <4A051DE3.30705@FreeBSD.org> In-Reply-To: <4A051DE3.30705@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.94.2/9358/Thu May 14 08:48:24 2009 on gritton.org X-Virus-Status: Clean Cc: FreeBSD Current Subject: Re: Hierarchical jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2009 17:12:58 -0000 There's still a change to offer your input on the new jails before they go in! OK, given the lack of response so far, it's less "still a chance" than "please?". Current plans are to have this in place for 8.0, with connections to the ongoing Vimage work. Hopefully the silence is approval, and commits will likely be appearing soon. I wrote: > Here's the first round of hierarchical jails under the new framework. > > Instead of creds having either a prison or a NULL pointer, they all have > a prison pointer with the default being the global "prison0" that > contains information about the real environment. Jailed root may (if > granted permission) create prisons that would be under its place in the > hierarchy, but may not alter (or even see) prisons at its level or > above. > > The JID space is flat, i.e. every prison in the system has a unique ID. > The prison name space is hierarchical, with jails having dot-separated > component names. > > prison0 contains three fields that were system globals: pr_root, > pr_host, and pr_securelevel. I've kept the globals rootvnode and > hostname, and take care that when one is changed the other changes too > (not yet true for hostname - read on). But I've actually removed the > global securelevel, instead forcing people to use securelevel_gt() and > securelevel_ge() (or in very rare cases to check prison0.pr_securelevel > directly). I chose to do that because while using the global rootvnode > and hostname may be incorrect, using the wrong securelevel is, well, > insecure. Actually it would be insecure to use the wrong rootvnode too, > but I'm not convinced removing that global is worth the headache. > > Other globals are subsumed into prison0, but they were only ever part of > the jail system anyway: the various jail-related permission bits and > such administrative things as prisoncount. > > The prison hierarchy keeps track of restrictions placed on prisons, and > will reflect them downward so a child jail is always at least as > restricted as its ancestors. It doesn't go the other way though: if a > prison's restrictions are loosened, the children stay as they are. > > This patch doesn't have anything for userland, and hierarchical jails > won't work without that patch (because jails don't have permission to > create sub-jails by default, and jail(2) can't grant that permission). > A userland patch will follow soon, very similar to the version I posted > here recently. > > - Jamie From owner-freebsd-jail@FreeBSD.ORG Thu May 14 17:33:04 2009 Return-Path: Delivered-To: jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5401C1065670 for ; Thu, 14 May 2009 17:33:04 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outE.internet-mail-service.net (oute.internet-mail-service.net [216.240.47.228]) by mx1.freebsd.org (Postfix) with ESMTP id 358CD8FC2C for ; Thu, 14 May 2009 17:33:04 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 03221B9859; Thu, 14 May 2009 10:33:04 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 5CC522D6018; Thu, 14 May 2009 10:33:03 -0700 (PDT) Message-ID: <4A0C55CF.70706@elischer.org> Date: Thu, 14 May 2009 10:33:03 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: Jamie Gritton References: <4A051DE3.30705@FreeBSD.org> <4A0C5112.9010103@FreeBSD.org> In-Reply-To: <4A0C5112.9010103@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: virtualization@FreeBSD.org, jail@FreeBSD.org, FreeBSD Current Subject: Re: Hierarchical jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2009 17:33:05 -0000 Jamie Gritton wrote: > There's still a change to offer your input on the new jails before they > go in! OK, given the lack of response so far, it's less "still a > chance" than "please?". Current plans are to have this in place for > 8.0, with connections to the ongoing Vimage work. Hopefully the silence > is approval, and commits will likely be appearing soon. > I think I may have replied before but it all looks pretty good to me.. > > I wrote: >> Here's the first round of hierarchical jails under the new framework. >> >> Instead of creds having either a prison or a NULL pointer, they all have >> a prison pointer with the default being the global "prison0" that >> contains information about the real environment. Jailed root may (if >> granted permission) create prisons that would be under its place in the >> hierarchy, but may not alter (or even see) prisons at its level or >> above. agreed >> >> The JID space is flat, i.e. every prison in the system has a unique ID. >> The prison name space is hierarchical, with jails having dot-separated >> component names. agreed >> >> prison0 contains three fields that were system globals: pr_root, >> pr_host, and pr_securelevel. I've kept the globals rootvnode and >> hostname, and take care that when one is changed the other changes too >> (not yet true for hostname - read on). But I've actually removed the >> global securelevel, instead forcing people to use securelevel_gt() and >> securelevel_ge() (or in very rare cases to check prison0.pr_securelevel >> directly). I chose to do that because while using the global rootvnode >> and hostname may be incorrect, using the wrong securelevel is, well, >> insecure. Actually it would be insecure to use the wrong rootvnode too, >> but I'm not convinced removing that global is worth the headache. not sure why you want to keep hostname a true global It seems to me that it is an eminently virtalizable property. though possible a special hostname might exist for the base system for error messages etc. kind of like V_hostname an G_hostname :) otherwise I agree. >> >> Other globals are subsumed into prison0, but they were only ever part of >> the jail system anyway: the various jail-related permission bits and >> such administrative things as prisoncount. >> >> The prison hierarchy keeps track of restrictions placed on prisons, and >> will reflect them downward so a child jail is always at least as >> restricted as its ancestors. It doesn't go the other way though: if a >> prison's restrictions are loosened, the children stay as they are. I agree with this in principle and we'll see ow it works out in practice. >> >> This patch doesn't have anything for userland, and hierarchical jails >> won't work without that patch (because jails don't have permission to >> create sub-jails by default, and jail(2) can't grant that permission). >> A userland patch will follow soon, very similar to the version I posted >> here recently. I looked at that too. All in all, I like it. >> >> - Jamie > _______________________________________________ > freebsd-virtualization@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization > To unsubscribe, send any mail to > "freebsd-virtualization-unsubscribe@freebsd.org" From owner-freebsd-jail@FreeBSD.ORG Thu May 14 17:44:24 2009 Return-Path: Delivered-To: jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7A8EA106564A; Thu, 14 May 2009 17:44:24 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [161.58.222.4]) by mx1.freebsd.org (Postfix) with ESMTP id 3EB638FC19; Thu, 14 May 2009 17:44:23 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by gritton.org (8.13.6.20060614/8.13.6) with ESMTP id n4EHiMBb042281; Thu, 14 May 2009 11:44:22 -0600 (MDT) Message-ID: <4A0C5871.1080407@FreeBSD.org> Date: Thu, 14 May 2009 11:44:17 -0600 From: Jamie Gritton User-Agent: Thunderbird 2.0.0.19 (X11/20090109) MIME-Version: 1.0 To: Julian Elischer References: <4A051DE3.30705@FreeBSD.org> <4A0C5112.9010103@FreeBSD.org> <4A0C55CF.70706@elischer.org> In-Reply-To: <4A0C55CF.70706@elischer.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.94.2/9358/Thu May 14 08:48:24 2009 on gritton.org X-Virus-Status: Clean Cc: virtualization@FreeBSD.org, jail@FreeBSD.org, FreeBSD Current Subject: Re: Hierarchical jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2009 17:44:25 -0000 Julian Elischer wrote: > Jamie Gritton wrote: >>> prison0 contains three fields that were system globals: pr_root, >>> pr_host, and pr_securelevel. I've kept the globals rootvnode and >>> hostname, and take care that when one is changed the other changes too >>> (not yet true for hostname - read on). But I've actually removed the >>> global securelevel, instead forcing people to use securelevel_gt() and >>> securelevel_ge() (or in very rare cases to check prison0.pr_securelevel >>> directly). I chose to do that because while using the global rootvnode >>> and hostname may be incorrect, using the wrong securelevel is, well, >>> insecure. Actually it would be insecure to use the wrong rootvnode too, >>> but I'm not convinced removing that global is worth the headache. > > not sure why you want to keep hostname a true global > It seems to me that it is an eminently virtalizable property. > though possible a special hostname might exist for the base system > for error messages etc. > kind of like V_hostname an G_hostname :) It was mostly for the number of times I saw that global being used - didn't want to upset the order of things too much. I didn't see nearly as much use of securelevel with the advent of securelevel_ge() and securelevel_gt(). But I suppose the G/V_hostname thing has already gotten that ball rolling. There is at least one place that uses the global securelevel directly (i.e. prison0.securelevel). The same could be done for hostnames, which does a pretty good job of pointing out that this is the global hostname being used. Because you're right - the hostname is at the center of of what it means to have a jail identity. Then there's rootvnode, the third global that's superseded by hierarchical jails. I could also remove that, allowing the use of prison0.pr_root for those who need the real root. From owner-freebsd-jail@FreeBSD.ORG Thu May 14 18:15:03 2009 Return-Path: Delivered-To: jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1402C106566C; Thu, 14 May 2009 18:15:03 +0000 (UTC) (envelope-from jilles@stack.nl) Received: from mx1.stack.nl (relay02.stack.nl [IPv6:2001:610:1108:5010::104]) by mx1.freebsd.org (Postfix) with ESMTP id C39F78FC23; Thu, 14 May 2009 18:15:02 +0000 (UTC) (envelope-from jilles@stack.nl) Received: by mx1.stack.nl (Postfix, from userid 65534) id 81A7D359966; Thu, 14 May 2009 20:15:01 +0200 (CEST) X-Spam-DCC: wuwien: scanner01.stack.nl 1290; Body=1 Fuz1=1 Fuz2=1 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on scanner01.stack.nl X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=AWL,BAYES_00,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Relay-Country: _RELAYCOUNTRY_ Received: from snail.stack.nl (snail.stack.nl [IPv6:2001:610:1108:5010::131]) by mx1.stack.nl (Postfix) with ESMTP id 7287C359957; Thu, 14 May 2009 20:14:59 +0200 (CEST) Received: by snail.stack.nl (Postfix, from userid 1677) id BCD41228A9; Thu, 14 May 2009 20:14:46 +0200 (CEST) Date: Thu, 14 May 2009 20:14:46 +0200 From: Jilles Tjoelker To: Jamie Gritton Message-ID: <20090514181446.GA42264@stack.nl> References: <4A051DE3.30705@FreeBSD.org> <4A0C5112.9010103@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4A0C5112.9010103@FreeBSD.org> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: virtualization@FreeBSD.org, jail@FreeBSD.org, FreeBSD Current Subject: Re: Hierarchical jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2009 18:15:04 -0000 On Thu, May 14, 2009 at 11:12:50AM -0600, Jamie Gritton wrote: > There's still a change to offer your input on the new jails before they > go in! OK, given the lack of response so far, it's less "still a > chance" than "please?". Current plans are to have this in place for > 8.0, with connections to the ongoing Vimage work. Hopefully the silence > is approval, and commits will likely be appearing soon. I have not tried this, but I think this patch may allow jailed roots to escape. The problem is that there is only one fd_jdir. The escape would go like: jailed root creates a new jail in a subdirectory, opens its / and sends the fd to a process in the new jail via a unix domain socket. When the process calls fchdir on the fd, it will be able to access .. normally. With nested chroot, or chroot in jail, this is not possible, because fd_jdir always contains the first jail or chroot done and will not allow escaping from it; however, root in a level 2 chroot can escape back to level 1 using chroot. -- Jilles Tjoelker From owner-freebsd-jail@FreeBSD.ORG Thu May 14 19:12:48 2009 Return-Path: Delivered-To: jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5FFCE1065672; Thu, 14 May 2009 19:12:48 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [161.58.222.4]) by mx1.freebsd.org (Postfix) with ESMTP id 26E178FC0A; Thu, 14 May 2009 19:12:47 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by gritton.org (8.13.6.20060614/8.13.6) with ESMTP id n4EJCk60054688; Thu, 14 May 2009 13:12:46 -0600 (MDT) Message-ID: <4A0C6D29.7020606@FreeBSD.org> Date: Thu, 14 May 2009 13:12:41 -0600 From: Jamie Gritton User-Agent: Thunderbird 2.0.0.19 (X11/20090109) MIME-Version: 1.0 To: Jilles Tjoelker References: <4A051DE3.30705@FreeBSD.org> <4A0C5112.9010103@FreeBSD.org> <20090514181446.GA42264@stack.nl> In-Reply-To: <20090514181446.GA42264@stack.nl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.94.2/9358/Thu May 14 08:48:24 2009 on gritton.org X-Virus-Status: Clean Cc: virtualization@FreeBSD.org, jail@FreeBSD.org, FreeBSD Current Subject: Re: Hierarchical jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2009 19:12:48 -0000 Jilles Tjoelker wrote: > On Thu, May 14, 2009 at 11:12:50AM -0600, Jamie Gritton wrote: >> There's still a change to offer your input on the new jails before they >> go in! OK, given the lack of response so far, it's less "still a >> chance" than "please?". Current plans are to have this in place for >> 8.0, with connections to the ongoing Vimage work. Hopefully the silence >> is approval, and commits will likely be appearing soon. > > I have not tried this, but I think this patch may allow jailed roots to > escape. The problem is that there is only one fd_jdir. The escape would > go like: jailed root creates a new jail in a subdirectory, opens its / > and sends the fd to a process in the new jail via a unix domain socket. > When the process calls fchdir on the fd, it will be able to access .. > normally. > > With nested chroot, or chroot in jail, this is not possible, because > fd_jdir always contains the first jail or chroot done and will not allow > escaping from it; however, root in a level 2 chroot can escape back to > level 1 using chroot. Indeed - considering how that was a major design point of jails, I'm not sure how I missed it. ".." processing will need to run up the jail tree. No big deal on performance and easily done, but embarrassing not have had that in place already. From owner-freebsd-jail@FreeBSD.ORG Fri May 15 07:26:33 2009 Return-Path: Delivered-To: jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 085C81065678 for ; Fri, 15 May 2009 07:26:33 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outY.internet-mail-service.net (outy.internet-mail-service.net [216.240.47.248]) by mx1.freebsd.org (Postfix) with ESMTP id E2BA18FC17 for ; Fri, 15 May 2009 07:26:32 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 82B79ACB80; Fri, 15 May 2009 00:26:32 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id CC44A2D600D; Fri, 15 May 2009 00:26:31 -0700 (PDT) Message-ID: <4A0D1927.8090303@elischer.org> Date: Fri, 15 May 2009 00:26:31 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: Jilles Tjoelker References: <4A051DE3.30705@FreeBSD.org> <4A0C5112.9010103@FreeBSD.org> <20090514181446.GA42264@stack.nl> In-Reply-To: <20090514181446.GA42264@stack.nl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: virtualization@FreeBSD.org, jail@FreeBSD.org, FreeBSD Current , Jamie Gritton Subject: Re: Hierarchical jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 May 2009 07:26:33 -0000 Jilles Tjoelker wrote: > On Thu, May 14, 2009 at 11:12:50AM -0600, Jamie Gritton wrote: >> There's still a change to offer your input on the new jails before they >> go in! OK, given the lack of response so far, it's less "still a >> chance" than "please?". Current plans are to have this in place for >> 8.0, with connections to the ongoing Vimage work. Hopefully the silence >> is approval, and commits will likely be appearing soon. > > I have not tried this, but I think this patch may allow jailed roots to > escape. The problem is that there is only one fd_jdir. The escape would > go like: jailed root creates a new jail in a subdirectory, opens its / > and sends the fd to a process in the new jail via a unix domain socket. > When the process calls fchdir on the fd, it will be able to access .. > normally. > > With nested chroot, or chroot in jail, this is not possible, because > fd_jdir always contains the first jail or chroot done and will not allow > escaping from it; however, root in a level 2 chroot can escape back to > level 1 using chroot. > this is the old chroot escape. it is well known and methods exist to stop it. I can not say what is done here, but your post does remind me to add this to the list of things we need to keep in mind.