From nobody Sat Nov 11 10:16:15 2023 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SSBRx2RGPz501m3 for ; Sat, 11 Nov 2023 10:16:29 +0000 (UTC) (envelope-from dfr@rabson.org) Received: from mail-yw1-x112c.google.com (mail-yw1-x112c.google.com [IPv6:2607:f8b0:4864:20::112c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SSBRw0Bcjz4bGl for ; Sat, 11 Nov 2023 10:16:28 +0000 (UTC) (envelope-from dfr@rabson.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=rabson-org.20230601.gappssmtp.com header.s=20230601 header.b=wWPYXaTQ; spf=pass (mx1.freebsd.org: domain of dfr@rabson.org designates 2607:f8b0:4864:20::112c as permitted sender) smtp.mailfrom=dfr@rabson.org; dmarc=none Received: by mail-yw1-x112c.google.com with SMTP id 00721157ae682-5bf5d6eaf60so28804407b3.2 for ; Sat, 11 Nov 2023 02:16:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rabson-org.20230601.gappssmtp.com; s=20230601; t=1699697787; x=1700302587; darn=freebsd.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=MhegdLRnFgFPLrCU0+bXnw/Iw+ohsQTbvCp7zTJhN1g=; b=wWPYXaTQX/c0EgXqNfi40oxbkU0+eh1bEXVcVVldw2qsM6FaERaAzs/Ztmp2tSFKhJ DIC3wrmYMTQElIfmHFnck5hQdroJfV982Dm2TIJSy1Q5EgAxNNuXBWfprZpLbUBP+fMA CynfBxjNer2Osl/GaQoTLGGJ8tH6vmQdsVT5GGzlAvTOydtnUWndpuac450xWAcWfJaX sympa2MPDZSbmigDg40M8SfnpIS3+hzP9RtLezoZXN4KxynPvWFO4/S6JLQtFkwslng0 msKqKGZs/8uFnhFI+tlhcEkuHdZuABoyV/a5Q7JVN2976H0kLTtDE1XV2q7/FednbXzj XP4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699697787; x=1700302587; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=MhegdLRnFgFPLrCU0+bXnw/Iw+ohsQTbvCp7zTJhN1g=; b=rZMhU6iVi6q1pftM3NVrIgJXVnc/A7LxiM3cTB9xkLAzqiG6J+LidyB/5xiIg/uE16 3cKAt8yYihXctncn1Pr8/OETMJrYd1rvpH9aHtOZRgGLejuH9TAntInIi0WUJ/hNmQjB wOWy+/5IMQwNTYukOV2m8TQAYjDtuxQmtau/BGk20mDx+OWenXJS5UTeancZCWcSD4LY 5ZEQ3aLfZgZ3IfF8QNl7pjiwYYcaj7aknJ3W0+3gqYLpwmnVLL1efNQ3km/qgBD14HQq 5UwTw81kbjOvE/iUf/JZ8+a8A+SPVoJKCjAtN8X4PRbvIayBYi9ds25e7D5Tg/E9BriW LfMA== X-Gm-Message-State: AOJu0Yx2Q4jJRkztRB1DMWClgdHprjFzw/qR6+Wx5EveEJCVjNAWjm3n dGQ49rBL+JFoX/c8jIja9uuN0Else9WGPFu5nIDpIepEOqMhk8m2g00= X-Google-Smtp-Source: AGHT+IFCw1q67XJY7bK0dQgEbsaCWVeMdPS2GrBuhrnqNyaMhi0NXry2sOQ09xrk9nVa2Kii0Uk1e0QNNZxAQGWBGBU= X-Received: by 2002:a81:620b:0:b0:5bf:f4b7:4a77 with SMTP id w11-20020a81620b000000b005bff4b74a77mr1791000ywb.47.1699697786596; Sat, 11 Nov 2023 02:16:26 -0800 (PST) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Doug Rabson Date: Sat, 11 Nov 2023 10:16:15 +0000 Message-ID: Subject: Re: mount_nullfs: /var/run/log: must be either a file or directory To: =?UTF-8?Q?Mina_Gali=C4=87?= Cc: FreeBSD Current Content-Type: multipart/alternative; boundary="000000000000cbc8e80609ddba8b" X-Spamd-Result: default: False [-3.50 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; R_DKIM_ALLOW(-0.20)[rabson-org.20230601.gappssmtp.com:s=20230601]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; RCVD_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::112c:from]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCPT_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; FREEFALL_USER(0.00)[dfr]; DKIM_TRACE(0.00)[rabson-org.20230601.gappssmtp.com:+]; PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[rabson.org]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4SSBRw0Bcjz4bGl X-Spamd-Bar: --- --000000000000cbc8e80609ddba8b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, 7 Jul 2023 at 13:11, Mina Gali=C4=87 wrote: > Hi folks, > > "recently", we added support for null-mounting single files: > > > https://freshbsd.org/freebsd/src/commit/521fbb722c33663cf00a83bca70ad7cb7= 90687b3 > > This code restricts the mountable =E2=80=A6 thing to: > > if ((lowerrootvp->v_type !=3D VDIR && lowerrootvp->v_type !=3D VR= EG) > || =E2=80=A6 > > > As the author of the abandoned https://reviews.freebsd.org/D27411 > which attempted to add facility to syslog's rc to provide (selected) > jails with a log socket, it was pointed out to me that this is a big > security risk: https://reviews.freebsd.org/D27411#882100 > > so I was wondering if null mounts are the same kind of security > hazard, or if not allowing sockets is just the oversight of a > first approximation of this patch? > Mounting anything into a jail needs to be done carefully. Clearly null mounting /sbin into an untrusted jail allows all kinds of shenanigans to happen but I don't see a huge problem with mounting e.g. a data volume or a config file into a jail. Care needs to be taken at the point when the object is mounted to defend against symlinks in the jail's chroot causing the mount point to change to a surprising location outside the chroot. In ocijail, I added code to resolve symlinks in the context of the jail's chroot to avoid this. I also think it's important to perform any mounts or other configuration strictly before the jail is started - for OCI containers under podman or containerd, this may happen after the jail is created but strictly before anything in the container image is executed. Conversely, unmounting happens strictly after the jail is removed. In principle, I don't think it's a problem to mount sockets or fifos into a jail but one of the points made in your diff that allowing jails to connect to the host syslogd is a potential risk is a good one. Doug. --000000000000cbc8e80609ddba8b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Fri, 7 Jul 2023 at 13:11, Mina Gal= i=C4=87 <freebsd@igalic.co> = wrote:
Hi folks,

"recently", we added support for null-mounting single files:

https://freshbsd.org= /freebsd/src/commit/521fbb722c33663cf00a83bca70ad7cb790687b3

This code restricts the mountable =E2=80=A6 thing to:

=C2=A0 =C2=A0 =C2=A0 =C2=A0 if ((lowerrootvp->v_type !=3D VDIR &&= ; lowerrootvp->v_type !=3D VREG) || =E2=80=A6


As the author of the abandoned https://reviews.freebsd.org/D27411<= /a>
which attempted to add facility to syslog's rc to provide (selected) jails with a log socket, it was pointed out to me that this is a big
security risk: https://reviews.freebsd.org/D27411#882100

so I was wondering if null mounts are the same kind of security
hazard, or if not allowing sockets is just the oversight of a
first approximation of this patch?


--000000000000cbc8e80609ddba8b--