From owner-freebsd-bugs@FreeBSD.ORG  Thu Dec 11 06:00:47 2003
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8324716A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 11 Dec 2003 06:00:47 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E495743D3B
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 11 Dec 2003 06:00:32 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	hBBE0WFR001730	for <freebsd-bugs@freefall.freebsd.org>;
	Thu, 11 Dec 2003 06:00:32 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.10/8.12.10/Submit) id hBBE0WaH001729;
	Thu, 11 Dec 2003 06:00:32 -0800 (PST)
	(envelope-from gnats)
Resent-Date: Thu, 11 Dec 2003 06:00:32 -0800 (PST)
Resent-Message-Id: <200312111400.hBBE0WaH001729@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Pawel Jakub Dawidek <jules@garage.freebsd.pl>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7B97616A4D1; Thu, 11 Dec 2003 05:49:59 -0800 (PST)
Received: from milla.ask33.net (milla.ask33.net [217.197.166.60])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id AD45943D3A; Thu, 11 Dec 2003 05:49:49 -0800 (PST)
	(envelope-from nick@milla.ask33.net)
Received: by milla.ask33.net (Postfix, from userid 1001)
	id A48643ABB53; Thu, 11 Dec 2003 14:50:32 +0100 (CET)
Message-Id: <20031211135032.A48643ABB53@milla.ask33.net>
Date: Thu, 11 Dec 2003 14:50:32 +0100 (CET)
From: Pawel Jakub Dawidek <jules@garage.freebsd.pl>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
cc: nectar@FreeBSD.org
cc: rwatson@FreeBSD.org
Subject: kern/60149: Unmount operation is permitted inside jail.
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Pawel Jakub Dawidek <jules@garage.freebsd.pl>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Dec 2003 14:00:47 -0000


>Number:         60149
>Category:       kern
>Synopsis:       Unmount operation is permitted inside jail.
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 11 06:00:32 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Pawel Jakub Dawidek <jules@garage.freebsd.pl>
>Release:        FreeBSD 5.2-CURRENT, FreeBSD 4.x.
>Organization:
None
>Environment:
System: FreeBSD anger.hell.invalid 5.2-CURRENT FreeBSD 5.2-CURRENT #4: Mon Dec 8 15:41:20 CET 2003 root@anger.hell.invalid:/usr/obj/usr/src/sys/ANGER i386

>Description:
	This possibility was originally reported by:
		Dariusz Kowalski <darek@76.pl>

	There is a missing check in unmount(2) system call.
	Because of this jailed root is able to unmount any file system
	(except root file system, because of different check).

	Not sufficient check is here (/sys/kern/vfs_mount.c:1058):

	if (mp->mnt_cred->cr_uid != td->td_ucred->cr_uid) {
		error = suser(td);
		if (error)
			return (error);
	}

	We're missing suser() test for root in jail.

	This bug also exists in FreeBSD 4.x:

	if ((mp->mnt_stat.f_owner != p->p_ucred->cr_uid) &&
	    (error = suser(p))) {
		vput(vp);
		return (error);
	}

	For jailed root first check will fail, so whole 'if' will fail.

>How-To-Repeat:
	# mdconfig -a -t malloc -s 1M -u 10
	# newfs -O1 /dev/md10
	# mkdir /mnt/test
	# mount /dev/md10 /mnt/test
	# jail / test 127.0.0.1 /sbin/umount /mnt/test
	umount: retrying using path instead of file system ID
	# mount | grep /mnt/test
	Exit 1
>Fix:
	This patch should fix this bug (against FreeBSD 5-CURRENT):

	--[ start ]--
--- vfs_mount.c.orig	Thu Dec 11 14:01:58 2003
+++ vfs_mount.c	Thu Dec 11 14:38:45 2003
@@ -68,6 +68,7 @@
 #include <sys/param.h>
 #include <sys/conf.h>
 #include <sys/cons.h>
+#include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/linker.h>
 #include <sys/mac.h>
@@ -1013,6 +1014,12 @@
 	struct mount *mp;
 	char *pathbuf;
 	int error, id0, id1;
+
+	/*
+	 * Unmount operation is not permitted inside jail.
+	 */
+	if (jailed(td->td_ucred))
+		return (EPERM);
 
 	pathbuf = malloc(MNAMELEN, M_TEMP, M_WAITOK);
 	error = copyinstr(uap->path, pathbuf, MNAMELEN, NULL);
	--[ end ]--

	And this one against FreeBSD 4.8 (not tested):

	--[ start ]--
--- vfs_syscalls.c.orig	Thu Dec 11 14:27:17 2003
+++ vfs_syscalls.c	Thu Dec 11 14:28:36 2003
@@ -441,6 +441,12 @@
 	mp = vp->v_mount;
 
 	/*
+	 * Unmount operation is not permitted inside jail.
+	 */
+	if (p->p_prison != NULL)
+		return (EPERM);
+
+	/*
 	 * Only root, or the user that did the original mount is
 	 * permitted to unmount this filesystem.
 	 */
	--[ end ]--
>Release-Note:
>Audit-Trail:
>Unformatted: