Date: Sat, 11 Nov 2023 10:16:15 +0000 From: Doug Rabson <dfr@rabson.org> To: =?UTF-8?Q?Mina_Gali=C4=87?= <freebsd@igalic.co> Cc: FreeBSD Current <freebsd-current@freebsd.org> Subject: Re: mount_nullfs: /var/run/log: must be either a file or directory Message-ID: <CACA0VUiZWqS2wVP8OA8fK0rnmjZvROxVDMneQpoxPoNh6n0rjg@mail.gmail.com> In-Reply-To: <cg0tpJtfXrnRHcTxPtgVhcQwoRWY-vr3PMrATaT7k0vvSuDZxlhe81qjkvJJh-LcLyvK4NOMkaFX70IG-tZY9zMA0giGPEfRdQIxPduXogs=@igalic.co> References: <cg0tpJtfXrnRHcTxPtgVhcQwoRWY-vr3PMrATaT7k0vvSuDZxlhe81qjkvJJh-LcLyvK4NOMkaFX70IG-tZY9zMA0giGPEfRdQIxPduXogs=@igalic.co>
next in thread | previous in thread | raw e-mail | index | archive | help
--000000000000cbc8e80609ddba8b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, 7 Jul 2023 at 13:11, Mina Gali=C4=87 <freebsd@igalic.co> wrote: > Hi folks, > > "recently", we added support for null-mounting single files: > > > https://freshbsd.org/freebsd/src/commit/521fbb722c33663cf00a83bca70ad7cb7= 90687b3 > > This code restricts the mountable =E2=80=A6 thing to: > > if ((lowerrootvp->v_type !=3D VDIR && lowerrootvp->v_type !=3D VR= EG) > || =E2=80=A6 > > > As the author of the abandoned https://reviews.freebsd.org/D27411 > which attempted to add facility to syslog's rc to provide (selected) > jails with a log socket, it was pointed out to me that this is a big > security risk: https://reviews.freebsd.org/D27411#882100 > > so I was wondering if null mounts are the same kind of security > hazard, or if not allowing sockets is just the oversight of a > first approximation of this patch? > Mounting anything into a jail needs to be done carefully. Clearly null mounting /sbin into an untrusted jail allows all kinds of shenanigans to happen but I don't see a huge problem with mounting e.g. a data volume or a config file into a jail. Care needs to be taken at the point when the object is mounted to defend against symlinks in the jail's chroot causing the mount point to change to a surprising location outside the chroot. In ocijail, I added code to resolve symlinks in the context of the jail's chroot to avoid this. I also think it's important to perform any mounts or other configuration strictly before the jail is started - for OCI containers under podman or containerd, this may happen after the jail is created but strictly before anything in the container image is executed. Conversely, unmounting happens strictly after the jail is removed. In principle, I don't think it's a problem to mount sockets or fifos into a jail but one of the points made in your diff that allowing jails to connect to the host syslogd is a potential risk is a good one. Doug. --000000000000cbc8e80609ddba8b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">= <div dir=3D"ltr" class=3D"gmail_attr">On Fri, 7 Jul 2023 at 13:11, Mina Gal= i=C4=87 <<a href=3D"mailto:freebsd@igalic.co">freebsd@igalic.co</a>> = wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0= px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rg= b(204,204,204);padding-left:1ex">Hi folks,<br> <br> "recently", we added support for null-mounting single files:<br> <br> <a href=3D"https://freshbsd.org/freebsd/src/commit/521fbb722c33663cf00a83bc= a70ad7cb790687b3" rel=3D"noreferrer" target=3D"_blank">https://freshbsd.org= /freebsd/src/commit/521fbb722c33663cf00a83bca70ad7cb790687b3</a><br> <br> This code restricts the mountable =E2=80=A6 thing to:<br> <br> =C2=A0 =C2=A0 =C2=A0 =C2=A0 if ((lowerrootvp->v_type !=3D VDIR &&= ; lowerrootvp->v_type !=3D VREG) || =E2=80=A6<br> <br> <br> As the author of the abandoned <a href=3D"https://reviews.freebsd.org/D2741= 1" rel=3D"noreferrer" target=3D"_blank">https://reviews.freebsd.org/D27411<= /a><br> which attempted to add facility to syslog's rc to provide (selected)<br= > jails with a log socket, it was pointed out to me that this is a big<br> security risk: <a href=3D"https://reviews.freebsd.org/D27411#882100" rel=3D= "noreferrer" target=3D"_blank">https://reviews.freebsd.org/D27411#882100</a= ><br> <br> so I was wondering if null mounts are the same kind of security<br> hazard, or if not allowing sockets is just the oversight of a<br> first approximation of this patch?<br></blockquote><div><br></div><div>Moun= ting anything into a jail needs to be done carefully. Clearly null mounting= /sbin into an untrusted jail allows all kinds of shenanigans to happen but= I don't see a huge problem with mounting e.g. a data volume or a confi= g file into a jail. Care needs to be taken at the point when the object is = mounted to defend against symlinks in the jail's chroot causing the mou= nt point to change to a surprising location outside the chroot. In ocijail,= I added code to resolve symlinks in the context of the jail's chroot t= o avoid this.</div><div><br></div><div>I also think it's important to p= erform any mounts or other configuration strictly before the jail is starte= d - for OCI containers under podman or containerd, this may happen after th= e jail is created but strictly before anything in the container image is ex= ecuted. Conversely, unmounting happens strictly after the jail is removed.<= /div><div><br></div><div>In principle, I don't think it's a problem= to mount sockets or fifos into a jail but one of the points made in your d= iff that allowing jails to connect to the host syslogd is a potential risk = is a good one.</div><div><br></div><div>Doug.</div><div><br></div></div></d= iv> --000000000000cbc8e80609ddba8b--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACA0VUiZWqS2wVP8OA8fK0rnmjZvROxVDMneQpoxPoNh6n0rjg>