From owner-freebsd-jail@FreeBSD.ORG Thu Jun 26 06:06:35 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B07FA1065673; Thu, 26 Jun 2008 06:06:35 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id 36E098FC16; Thu, 26 Jun 2008 06:06:35 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A54EEB.dip.t-dialin.net [84.165.78.235]) by redbull.bpaserver.net (Postfix) with ESMTP id EC1712E27E; Thu, 26 Jun 2008 08:06:31 +0200 (CEST) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id EE9E712FE08; Thu, 26 Jun 2008 08:06:26 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=Leidinger.net; s=outgoing-alex; t=1214460387; bh=l5IVDjtuf6Dy6Ds6IdY+MYof/LmORJR88 CL5z6ngagg=; h=Message-ID:Date:From:To:Cc:Subject:References: In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=PWjhduZYOCeLVzfnfAPMawb7rU+hlf7jRH6WiAtcwlh/FVQnBuZYKZp9Ylzz87on9 3omUayAuiZTcpJoggQMLF+HsbB0NTaoB5uR7xJgKNJBkVLKWCJtUskwFTvoQtowT/kb N1yzwRfff6NiJ2alGNbMdhVPJ7JABo+QTG2IojOsCt+SpbcnBcH8MJ+1hkwWYxcjpEg umD8p9UD2a4ML+BJix1acX3yOnbzbl3crQEYREx5YMKhxT5+xacBAmwHc7guA4mihd+ 1tpZe4Gb079VenqwZRP5X8SENXb/aD1jQ2XstaRjLftwhkgRaqycszL2FU/GJ6t7QI8 W49dXDkkw== Received: (from www@localhost) by webmail.leidinger.net (8.14.2/8.13.8/Submit) id m5Q66P49087724; Thu, 26 Jun 2008 08:06:25 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde Framework) with HTTP; Thu, 26 Jun 2008 08:06:25 +0200 Message-ID: <20080626080625.12031sjuk9s5fp5w@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Thu, 26 Jun 2008 08:06:25 +0200 From: Alexander Leidinger To: Robert Watson References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net> <20080625175252.18342qpk0oc2zc4k@webmail.leidinger.net> <20080625165505.P87282@fledge.watson.org> <20080625184151.20404iq2r7t4iomc@webmail.leidinger.net> <20080625174425.W87282@fledge.watson.org> In-Reply-To: <20080625174425.W87282@fledge.watson.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.2-RC2) / FreeBSD-8.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, ORDB-RBL, SpamAssassin (not cached, score=-15.323, required 6, autolearn=not spam, BAYES_00 -15.00, DKIM_SIGNED 0.00, DKIM_VERIFIED -0.00, RDNS_DYNAMIC 0.10, SMILEY -0.50, TW_OC 0.08) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No Cc: freebsd-jail@FreeBSD.org Subject: Re: is nfs mount inside jail possible? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jun 2008 06:06:35 -0000 Quoting Robert Watson (from Wed, 25 Jun 2008 =20 17:53:36 +0100 (BST)): > I don't know of any specific vulnerabilities that will open up, and =20 > I don't have time to read the source code to find them now, but I do =20 > promise you that if you allow arbitrary mounting of file systems in =20 > jail, you will likely run into quite a few, simply because mounting =20 > of file systems is a sensitive operation, modifies the file system I agree, but I put the focus on "arbitrary". What I specially did not =20 include in the list was ufs, procfs, fdescfs and some more. UFS can cause a kernel panic if used with a bad FS image. For procfs =20 we even recommend to not mount it in a normal system, and for others I =20 don't know if they are robust enough. For nullfs all depends if it can break out of the jail or not. If it =20 can not, I don't see why we should not allow to mount it in a jail. =20 Based upon what I've read in the source, it's even easy to test. As it =20 gets path names the kernel resolves itself, the test would be to =20 modify mount_nullfs to not do the realpath, and test by adding some =20 "../" into the path (ok, this is a simplified description, there are =20 several cases which have to be tested, but it is not rocked science). For other FS it depends what they are/do and how robust they are. =20 Wasn't there a FS-fuzzing paper a while ago which tested several =20 FreeBSD FS for robustness? Very interesting would be the robustness =20 for cd9660, msdosfs and udf. Those are candidates which would be =20 interesting to use in a jail. > So, per my comments, I would recommend extreme caution because the =20 > implications are very tricky to reason about, requiring careful =20 > auditing of source code to ensure that expected protections will =20 > continue to be enforced. Caveat emptor. Beware the dog. Enter at =20 > your own risk. There be dragons. Run away! I agree with everything except the "Run away!" :) This is CS, the =20 outcome should be deterministic... :) Bye, Alexander. --=20 Man who sleep in beer keg wake up stickey. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137