Date: Thu, 26 Jun 2008 08:06:25 +0200 From: Alexander Leidinger <Alexander@Leidinger.net> To: Robert Watson <rwatson@FreeBSD.org> Cc: freebsd-jail@FreeBSD.org Subject: Re: is nfs mount inside jail possible? Message-ID: <20080626080625.12031sjuk9s5fp5w@webmail.leidinger.net> In-Reply-To: <20080625174425.W87282@fledge.watson.org> References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net> <20080625175252.18342qpk0oc2zc4k@webmail.leidinger.net> <20080625165505.P87282@fledge.watson.org> <20080625184151.20404iq2r7t4iomc@webmail.leidinger.net> <20080625174425.W87282@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Robert Watson <rwatson@FreeBSD.org> (from Wed, 25 Jun 2008 =20 17:53:36 +0100 (BST)): > I don't know of any specific vulnerabilities that will open up, and =20 > I don't have time to read the source code to find them now, but I do =20 > promise you that if you allow arbitrary mounting of file systems in =20 > jail, you will likely run into quite a few, simply because mounting =20 > of file systems is a sensitive operation, modifies the file system I agree, but I put the focus on "arbitrary". What I specially did not =20 include in the list was ufs, procfs, fdescfs and some more. UFS can cause a kernel panic if used with a bad FS image. For procfs =20 we even recommend to not mount it in a normal system, and for others I =20 don't know if they are robust enough. For nullfs all depends if it can break out of the jail or not. If it =20 can not, I don't see why we should not allow to mount it in a jail. =20 Based upon what I've read in the source, it's even easy to test. As it =20 gets path names the kernel resolves itself, the test would be to =20 modify mount_nullfs to not do the realpath, and test by adding some =20 "../" into the path (ok, this is a simplified description, there are =20 several cases which have to be tested, but it is not rocked science). For other FS it depends what they are/do and how robust they are. =20 Wasn't there a FS-fuzzing paper a while ago which tested several =20 FreeBSD FS for robustness? Very interesting would be the robustness =20 for cd9660, msdosfs and udf. Those are candidates which would be =20 interesting to use in a jail. > So, per my comments, I would recommend extreme caution because the =20 > implications are very tricky to reason about, requiring careful =20 > auditing of source code to ensure that expected protections will =20 > continue to be enforced. Caveat emptor. Beware the dog. Enter at =20 > your own risk. There be dragons. Run away! I agree with everything except the "Run away!" :) This is CS, the =20 outcome should be deterministic... :) Bye, Alexander. --=20 Man who sleep in beer keg wake up stickey. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080626080625.12031sjuk9s5fp5w>