Date: Fri, 28 Mar 2025 11:22:36 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 262180] jail escaping via jail-friendly nullfs Message-ID: <bug-262180-227-zD2aBuTr6m@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-262180-227@https.bugs.freebsd.org/bugzilla/> References: <bug-262180-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262180 Mark Johnston <markj@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kib@FreeBSD.org, | |markj@FreeBSD.org --- Comment #7 from Mark Johnston <markj@FreeBSD.org> --- This is a consequence of the way nullfs handles dotdot lookups. Here, a proc's cwd is a nullfs vnode, and behind the scenes the corresponding lower vnode is moved out of the exported directory. Then, successive dotdot lookups instantiate nullfs vnodes outside of the nullfs mountpoint. These get returned and effectively "cover" the jail's root dir, so the pointer equality check in vfs_lookup() against ni_rootdir doesn't work because it's comparing the returned nullfs vnode with a lower vnode. There is a hack in null_lookup() to handle this kind of situation, and this is enough to prevent the problem if the process root is also a mountpoint. To fix this, I think vfs_lookup() either has to compare ni_topdir/ni_rootdir with "dp" and its aliases, using a VOP implemented by nullfs. Or, we can start passing the ndp to VOP_LOOKUP somehow and modify nullfs to perform this check internally. -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-262180-227-zD2aBuTr6m>