Date: Thu, 14 May 2009 13:12:41 -0600 From: Jamie Gritton <jamie@FreeBSD.org> To: Jilles Tjoelker <jilles@stack.nl> Cc: virtualization@FreeBSD.org, jail@FreeBSD.org, FreeBSD Current <freebsd-current@FreeBSD.org> Subject: Re: Hierarchical jails Message-ID: <4A0C6D29.7020606@FreeBSD.org> In-Reply-To: <20090514181446.GA42264@stack.nl> References: <4A051DE3.30705@FreeBSD.org> <4A0C5112.9010103@FreeBSD.org> <20090514181446.GA42264@stack.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Jilles Tjoelker wrote: > On Thu, May 14, 2009 at 11:12:50AM -0600, Jamie Gritton wrote: >> There's still a change to offer your input on the new jails before they >> go in! OK, given the lack of response so far, it's less "still a >> chance" than "please?". Current plans are to have this in place for >> 8.0, with connections to the ongoing Vimage work. Hopefully the silence >> is approval, and commits will likely be appearing soon. > > I have not tried this, but I think this patch may allow jailed roots to > escape. The problem is that there is only one fd_jdir. The escape would > go like: jailed root creates a new jail in a subdirectory, opens its / > and sends the fd to a process in the new jail via a unix domain socket. > When the process calls fchdir on the fd, it will be able to access .. > normally. > > With nested chroot, or chroot in jail, this is not possible, because > fd_jdir always contains the first jail or chroot done and will not allow > escaping from it; however, root in a level 2 chroot can escape back to > level 1 using chroot. Indeed - considering how that was a major design point of jails, I'm not sure how I missed it. ".." processing will need to run up the jail tree. No big deal on performance and easily done, but embarrassing not have had that in place already.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A0C6D29.7020606>