From owner-freebsd-bugs Fri Apr 20 16:20:18 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 7937737B43E for ; Fri, 20 Apr 2001 16:20:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f3KNK2L06077; Fri, 20 Apr 2001 16:20:02 -0700 (PDT) (envelope-from gnats) Received: from haluter.fromme.com (haluter.fromme.com [212.66.1.135]) by hub.freebsd.org (Postfix) with ESMTP id DD2B737B424 for ; Fri, 20 Apr 2001 16:11:53 -0700 (PDT) (envelope-from olli@haluter.fromme.com) Received: (from root@localhost) by haluter.fromme.com (8.11.3/8.11.3) id f3KNBqh00491; Sat, 21 Apr 2001 01:11:52 +0200 (CEST) (envelope-from olli) Message-Id: <200104202311.f3KNBqh00491@haluter.fromme.com> Date: Sat, 21 Apr 2001 01:11:52 +0200 (CEST) From: olli@fromme.com Reply-To: olli@fromme.com To: FreeBSD-gnats-submit@freebsd.org Cc: olli@fromme.com X-Send-Pr-Version: 3.113 Subject: kern/26740: [PATCH] jail improvement Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 26740 >Category: kern >Synopsis: [PATCH] jail improvement >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Apr 20 16:20:02 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Oliver Fromme >Release: FreeBSD 4.3-RC2 alpha >Organization: fromme.com >Environment: System: FreeBSD haluter.fromme.com 4.3-RC2 FreeBSD 4.3-RC2 #8: Fri Apr 20 23:48:25 CEST 2001 olli@haluter.fromme.com:/sea/src/sys/compile/HALUTER alpha >Description: This patch adds a small feature to jails. Processes within a jails cannot see things outside their jail (files, processes, sockets) -- however, thay still can see _all_ mountpoints. This patch fixes that. In particular, it does two things: -1- Mounts which are outside of a jail are not returned to processes within that jail. -2- Mounts within a jail get their jail chroot prefix stripped off. See example below. The patch modifies statfs(), fstatfs() and getfsstat(). Without my patch, the output of "mount" within a jail on my test machine looks like this: /dev/da0a on / (ufs, local, soft-updates) /dev/da0f on /sea (ufs, local, soft-updates) /dev/da0e on /var (ufs, local, soft-updates) procfs on /proc (procfs, local) /dev/vn0c on /usr (ufs, local, soft-updates) /dev/vn1c on /jail/olli (ufs, local, read-only) /dev/vn2c on /jail/olli (ufs, local, union, soft-updates) procfs on /jail/olli/proc (procfs, local) /dev/vn3c on /jail/olli/home (ufs, local, read-only) With my patch, the output is this: /dev/vn1c on / (ufs, local, read-only) /dev/vn2c on / (ufs, local, union, soft-updates) procfs on /proc (procfs, local) /dev/vn3c on /home (ufs, local, read-only) There's a small point to note: If there aren't any mounts within the jail, getfsstat() returns 0 (an empty list). /bin/df handles this well, but /sbin/mount prints ,,error 0``. I tend to think that that's a bug in /sbin/mount. I'll submit a fix if desired. >How-To-Repeat: Set up a jail environment somewhere, start the jail and type "df" or "mount". You'll see all mountpoints, including those in other jails and those that aren't in any jails. >Fix: NOTE: This patch is against -stable. Unfortunately, I don't have a machine left for installing -current. I've had a quick look at the relevant files in -current in the CVS repository, and I _think_ it shouldn't be too painful to apply the patch there (change p->pr_prison to p->p_ucred->cr_prison etc.), but I can't test it myself on -current. (It's running perfectly fine on my -stable box, of course.) --- src/sys/sys/jail.h.orig Wed Nov 1 18:58:06 2000 +++ src/sys/sys/jail.h Sat Apr 7 21:00:39 2001 @@ -30,6 +30,17 @@ MALLOC_DECLARE(M_PRISON); #endif + +#ifndef MNAMELEN +/* This is taken from sys/mount.h. */ +#ifdef __i386__ +#define MNAMELEN 80 /* length of buffer for returned name */ +#endif +#ifdef __alpha__ +#define MNAMELEN 72 /* length of buffer for returned name */ +#endif +#endif + /* * This structure describes a prison. It is pointed to by all struct * proc's of the inmates. pr_ref keeps track of them and is used to @@ -39,6 +50,7 @@ struct prison { int pr_ref; char pr_host[MAXHOSTNAMELEN]; + char pr_path[MNAMELEN]; u_int32_t pr_ip; void *pr_linux; }; --- src/sys/kern/kern_jail.c.orig Wed Nov 1 18:58:06 2000 +++ src/sys/kern/kern_jail.c Sat Apr 7 21:04:31 2001 @@ -69,6 +69,9 @@ error = copyinstr(j.hostname, &pr->pr_host, sizeof pr->pr_host, 0); if (error) goto bail; + error = copyinstr(j.path, &pr->pr_path, sizeof pr->pr_path, 0); + if (error) + goto bail; pr->pr_ip = j.ip_number; ca.path = j.path; --- src/sys/kern/vfs_syscalls.c.orig Tue Mar 20 12:45:01 2001 +++ src/sys/kern/vfs_syscalls.c Fri Apr 20 23:47:16 2001 @@ -59,6 +59,7 @@ #include #include #include +#include #include #include @@ -72,6 +73,8 @@ static int change_dir __P((struct nameidata *ndp, struct proc *p)); static void checkdirs __P((struct vnode *olddp)); +static int check_prison_mount __P((struct proc *p, struct statfs *sp)); +static void trim_prison_mount __P((struct statfs *sp, int pripl)); static int chroot_refuse_vdir_fds __P((struct filedesc *fdp)); static int getutimes __P((const struct timeval *, struct timespec *)); static int setfown __P((struct proc *, struct vnode *, uid_t, gid_t)); @@ -609,6 +612,62 @@ } /* + * Check if we're imprisoned and whether the mountpoint + * is inside our prison. Return values: + * -1 if we're not supposed to see this mount. + * 0 if it's alright. + * >0 strip that many characters from the beginning of + * the path of the mountpoint. E.g. if the mount + * point is /foo/bar and the jail is chrooted at /foo, + * 4 is be returned, so only /bar will be left. + */ +static int +check_prison_mount(p, sp) + struct proc *p; + struct statfs *sp; +{ + register char *prip; /* prison path */ + register int pripl; /* prison path length */ + + if (!p->p_prison) + return (0); + prip = p->p_prison->pr_path; + pripl = strlen(prip); + if (pripl > 0 && prip[pripl - 1] == '/') + pripl--; /* ignore trailing slash, if any */ + /* + * Note that it is not sufficient to check for the + * first characters to be the same. + * We also have to make sure that the next character + * in the mountpoint path is either '\0' or '/'. + * Otherwise a jail in "/foo/bar" would be allowed + * to see a mount at "/foo/barbara". + */ + if (strncmp(prip, sp->f_mntonname, pripl) != 0 || + (sp->f_mntonname[pripl] != '\0' && sp->f_mntonname[pripl] != '/')) + return (-1); /* not our business */ + return (pripl); +} + +/* + * Remove the jail chroot path from the mountpoint, + * so that imprisoned users see everything relative + * to their jail chroot. + */ +static void +trim_prison_mount(sp, pripl) + struct statfs *sp; + int pripl; /* prison path length */ +{ + strcpy(sp->f_mntonname, sp->f_mntonname + pripl); + /* If there's nothing left, this ought to be "/". */ + if (sp->f_mntonname[0] == '\0') { + sp->f_mntonname[0] = '/'; + sp->f_mntonname[1] = '\0'; + } +} + +/* * Get filesystem statistics. */ #ifndef _SYS_SYSPROTO_H_ @@ -629,6 +688,8 @@ register struct mount *mp; register struct statfs *sp; int error; + int pripl; + int nonsu; struct nameidata nd; struct statfs sb; @@ -639,13 +700,19 @@ sp = &mp->mnt_stat; NDFREE(&nd, NDF_ONLY_PNBUF); vrele(nd.ni_vp); + if ((pripl = check_prison_mount(p, sp)) < 0) + return (ENOENT); error = VFS_STATFS(mp, sp, p); if (error) return (error); sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; - if (suser_xxx(p->p_ucred, 0, 0)) { + nonsu = suser_xxx(p->p_ucred, 0, 0); + if (nonsu || pripl) { bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb)); - sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; + if (nonsu) + sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; + if (pripl) + trim_prison_mount(&sb, pripl); sp = &sb; } return (copyout((caddr_t)sp, (caddr_t)SCARG(uap, buf), sizeof(*sp))); @@ -673,19 +740,27 @@ struct mount *mp; register struct statfs *sp; int error; + int pripl; + int nonsu; struct statfs sb; if ((error = getvnode(p->p_fd, SCARG(uap, fd), &fp)) != 0) return (error); mp = ((struct vnode *)fp->f_data)->v_mount; sp = &mp->mnt_stat; + if ((pripl = check_prison_mount(p, sp)) < 0) + return (ENOENT); error = VFS_STATFS(mp, sp, p); if (error) return (error); sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; - if (suser_xxx(p->p_ucred, 0, 0)) { + nonsu = suser_xxx(p->p_ucred, 0, 0); + if (nonsu || pripl) { bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb)); - sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; + if (nonsu) + sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; + if (pripl) + trim_prison_mount(&sb, pripl); sp = &sb; } return (copyout((caddr_t)sp, (caddr_t)SCARG(uap, buf), sizeof(*sp))); @@ -714,13 +789,16 @@ register struct statfs *sp; caddr_t sfsp; long count, maxcount, error; + int pripl; + struct statfs sb; maxcount = SCARG(uap, bufsize) / sizeof(struct statfs); sfsp = (caddr_t)SCARG(uap, buf); count = 0; simple_lock(&mountlist_slock); for (mp = TAILQ_FIRST(&mountlist); mp != NULL; mp = nmp) { - if (vfs_busy(mp, LK_NOWAIT, &mountlist_slock, p)) { + pripl = check_prison_mount(p, &mp->mnt_stat); + if (pripl < 0 || vfs_busy(mp, LK_NOWAIT, &mountlist_slock, p)) { nmp = TAILQ_NEXT(mp, mnt_list); continue; } @@ -740,6 +818,11 @@ continue; } sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK; + if (pripl) { + bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb)); + trim_prison_mount(&sb, pripl); + sp = &sb; + } error = copyout((caddr_t)sp, sfsp, sizeof(*sp)); if (error) { vfs_unbusy(mp, p); >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message