Date: Fri, 28 Mar 2025 11:22:36 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 262180] jail escaping via jail-friendly nullfs Message-ID: <bug-262180-227-zD2aBuTr6m@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-262180-227@https.bugs.freebsd.org/bugzilla/> References: <bug-262180-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D262180 Mark Johnston <markj@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kib@FreeBSD.org, | |markj@FreeBSD.org --- Comment #7 from Mark Johnston <markj@FreeBSD.org> --- This is a consequence of the way nullfs handles dotdot lookups. Here, a pr= oc's cwd is a nullfs vnode, and behind the scenes the corresponding lower vnode = is moved out of the exported directory. Then, successive dotdot lookups instantiate nullfs vnodes outside of the nullfs mountpoint. These get retu= rned and effectively "cover" the jail's root dir, so the pointer equality check = in vfs_lookup() against ni_rootdir doesn't work because it's comparing the returned nullfs vnode with a lower vnode. There is a hack in null_lookup() to handle this kind of situation, and this= is enough to prevent the problem if the process root is also a mountpoint. To fix this, I think vfs_lookup() either has to compare ni_topdir/ni_rootdir with "dp" and its aliases, using a VOP implemented by nullfs. Or, we can s= tart passing the ndp to VOP_LOOKUP somehow and modify nullfs to perform this che= ck internally. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-262180-227-zD2aBuTr6m>