Date: Tue, 08 Jul 2025 20:03:19 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 288104] Cross-jail privilege spreading via SCM_RIGHTS. Message-ID: <bug-288104-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288104 Bug ID: 288104 Summary: Cross-jail privilege spreading via SCM_RIGHTS. Product: Base System Version: Unspecified Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: firk@cantconnect.ru As noted in jail manpage, partially shared filesystem access between jail and non-privileged user outside or between two jails leads to various security problems. The obvious case of that is something like two jails with rootdirs /path1 and /path1/subdir, which is not recommended to do. The less obvious case is having shared nullfs. But when set up properly, there is no danger. Proper setup is: 1) nullfs lower dir should be exactly the same in both jails, 2) it should be mounted with nosuid (please correct me if I'm wrong here). And the third way to share filesystem access is SCM_RIGHTS over UNIX domain sockets. Unfortunately, currently there is no way to setup crossjail UNIX socket securely: it always leads to "partially shared filesystem" problems: 1) one side could create setuid-root binary to leaks its root privileges to the second non-root side 2) non-root side could give directory fd to root in another jail and gain unexpected write (or read) access to files. The most dangerous thing is sharing opened directory fds, because that gives the other side full access to everything under that directory but with wrong permissions. But that's not all, sharing regular file fd is also vulnerable and can be abused using fexecve (call setuid-root binary from foreign jail), fchmod/fchown (turn regular foreign file into setuid-root) and may be other things. UNIX sockets and SCM_RIGHTS between different jails is surely useful thing and it will be good to have it working, but the problems listed above may be fixed. As for regular file fds, the fix is simple. We can create a flag like FD_RESOLVE_BENEATH here: https://cgit.freebsd.org/src/commit/?id=350ba9672a7f4f16e30534a603df577dfd083b3f (lets name it FD_FOREIGN) or reuse FD_RESOLVE_BENEATH itself to disallow fchmod/fchown/may-be-others and disable setuid/setgid handling in fexecve for this fd. As for directory fds, things are much more complicated. The simplest way is to disable directory fd sharing between different-root jails at all (like @kib already proposed in PR 262179). If we want to keep the ability to share directories, creds of dirfd sender should be somehow attached to the dirfd and always combined with creds the received fd user (allowing only things allowed to both of them). -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-288104-227>