From nobody Mon Aug 19 11:15:23 2024 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WnVPl6btGz5SqW5 for ; Mon, 19 Aug 2024 11:15:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WnVPl5DV0z4XBf for ; Mon, 19 Aug 2024 11:15:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1724066123; a=rsa-sha256; cv=none; b=emCSOd56AUHlSaMaxK9VFRbywEz1CTLl+1C4Zs1lnZNQuRt2PqymqHbmziOEIvUbdhfFos hiLgGosF4XLDGjzp1j3wj/2kWgAOwcanbUNITL+BpUYCOElyXF/yWrYlHYcJHwoMvBeKlP qtjFLN+XB0+DQciHw6V1zqE9zSH8fIrz0oQYVKWBprMm8y/mkZMi7Q/tQnwF0zA5wXJacF +dIhTgGejLxOJEUV5C/tm/+Ov1CUb+bfJpu/9/FHpvyqVZexptDr0gsMv2K7o8Igs466VU DHmGXXiuWLHe2cIGtsVPiegGSibBKJWDiJjHQug7C6B+4C53vKvboXqGMHLYvw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1724066123; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Edmzs54BLQbXRuXV/3hGvDFdy21jr0nFDYh2pgcbBZI=; b=X6UfIyFoZuAcYJxPa5+4VDcSpnFPaZvh58dV2HW0t2wtcH9Nxc0Q/FZpgkVA2kbOvHL9Xv 5/1+SKKvnwVRg+OYLTVKV6ptmHbm/iI6yt0vCkjlq9mqASDoMt9wP6HiTA1h0lWJpz4Jm8 osFA+XILP8htq1yoz0SHTFquh4PMs4u6yQlRZIiVbAudlG5E7rcTHGLLtZICsYMi7dimk7 iffHenln0zbZyPoX22cOQjHTqCx0j9JgPndHjtOyR3kRTzasSIzRmM0jc5lHmPLxBUeP71 YVje1A73+5lo23LBafJYYaJ1n0b0CMa9w8LCoIzx6yjdBb27Lkf5+R8sd3eSmg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WnVPl4qhPzFBG for ; Mon, 19 Aug 2024 11:15:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 47JBFNr8099905 for ; Mon, 19 Aug 2024 11:15:23 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 47JBFNPp099900 for bugs@FreeBSD.org; Mon, 19 Aug 2024 11:15:23 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 280809] jail_attach(2) fails to document reason for EPERM Date: Mon, 19 Aug 2024 11:15:23 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Documentation X-Bugzilla-Component: Manual Pages X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: crest@rlwinm.de X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D280809 --- Comment #3 from crest@rlwinm.de --- There is the kern.chroot_allow_open_directories sysctl to allow chroot() wi= th directory file descriptors, but no such "backdoor" exists for jail_attach(), because jails are supposed to provide secure namespace isolation. Removing = this restriction would allow trivial jail escapes through fchdir() and openat(). Allowing jailed processes to safely share directory file descriptors either through inheritance or file descriptor passing could be very useful, but is totally unsafe right now. Sharing directory file descriptors through inheritance across jails is (and always has been) impossible because jail_attach() doesn't allow processes with having one or more such file descriptors to attach to a jail. Despite this it's possible to share file descriptors across jails via file descriptor passing over unix domain socke= ts. Passing directory file descriptors to a directory outside the receivers jail root into a jail is an instant file system escape because the jail root is enforced by comparing vnodes and if you `parent_fd =3D openat(dir_fd, "..", O_DIRECTORY)` you won't encounter the jail root vnode. By looping until "."= =3D=3D ".." the jailed process can find the hosts root filesystem. While the unix socket could be brought into a jail via jail_attach() the more likely real world situation would be intentionally sharing a nullfs mount across jails (e.g. a PostgreSQL jail <-> a FastCGI jail). One way I can think of to make it safe would be to add a O_RESOLVE_BENEATH = like write-once flag to file descriptors and allow only directory file descripto= rs with this flag to be shared across jails. It would have to be inherited too (e.g. openat(dir_fd, "", O_DIRECTORY) on a sub-directory). If the f= lag could be automatically set by jail_attach() and file descriptor passing acr= oss jails would work without extra syscalls to set the new flag with the caveat that ".." inaccessible on such file descriptors and those derived from them. --=20 You are receiving this mail because: You are the assignee for the bug.=