Date: Thu, 14 May 2009 13:12:41 -0600 From: Jamie Gritton <jamie@FreeBSD.org> To: Jilles Tjoelker <jilles@stack.nl> Cc: virtualization@FreeBSD.org, jail@FreeBSD.org, FreeBSD Current <freebsd-current@FreeBSD.org> Subject: Re: Hierarchical jails Message-ID: <4A0C6D29.7020606@FreeBSD.org> In-Reply-To: <20090514181446.GA42264@stack.nl> References: <4A051DE3.30705@FreeBSD.org> <4A0C5112.9010103@FreeBSD.org> <20090514181446.GA42264@stack.nl>
index | next in thread | previous in thread | raw e-mail
Jilles Tjoelker wrote: > On Thu, May 14, 2009 at 11:12:50AM -0600, Jamie Gritton wrote: >> There's still a change to offer your input on the new jails before they >> go in! OK, given the lack of response so far, it's less "still a >> chance" than "please?". Current plans are to have this in place for >> 8.0, with connections to the ongoing Vimage work. Hopefully the silence >> is approval, and commits will likely be appearing soon. > > I have not tried this, but I think this patch may allow jailed roots to > escape. The problem is that there is only one fd_jdir. The escape would > go like: jailed root creates a new jail in a subdirectory, opens its / > and sends the fd to a process in the new jail via a unix domain socket. > When the process calls fchdir on the fd, it will be able to access .. > normally. > > With nested chroot, or chroot in jail, this is not possible, because > fd_jdir always contains the first jail or chroot done and will not allow > escaping from it; however, root in a level 2 chroot can escape back to > level 1 using chroot. Indeed - considering how that was a major design point of jails, I'm not sure how I missed it. ".." processing will need to run up the jail tree. No big deal on performance and easily done, but embarrassing not have had that in place already.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A0C6D29.7020606>