Re: is nfs mount inside jail possible?

Wed, 25 Jun 2008 23:06:43 -0700

Quoting Robert Watson <[EMAIL PROTECTED]> (from Wed, 25 Jun 2008 17:53:36 +0100 (BST)):
I don't know of any specific vulnerabilities that will open up, and I don't have time to read the source code to find them now, but I do promise you that if you allow arbitrary mounting of file systems in jail, you will likely run into quite a few, simply because mounting of file systems is a sensitive operation, modifies the file system 


I agree, but I put the focus on "arbitrary". What I specially did not  
include in the list was ufs, procfs, fdescfs and some more.



UFS can cause a kernel panic if used with a bad FS image. For procfs  
we even recommend to not mount it in a normal system, and for others I  
don't know if they are robust enough.



For nullfs all depends if it can break out of the jail or not. If it  
can not, I don't see why we should not allow to mount it in a jail.  
Based upon what I've read in the source, it's even easy to test. As it  
gets path names the kernel resolves itself, the test would be to  
modify mount_nullfs to not do the realpath, and test by adding some  
"../" into the path (ok, this is a simplified description, there are  
several cases which have to be tested, but it is not rocked science).



For other FS it depends what they are/do and how robust they are.  
Wasn't there a FS-fuzzing paper a while ago which tested several  
FreeBSD FS for robustness? Very interesting would be the robustness  
for cd9660, msdosfs and udf. Those are candidates which would be  
interesting to use in a jail.



So, per my comments, I would recommend extreme caution because the  
implications are very tricky to reason about, requiring careful  
auditing of source code to ensure that expected protections will  
continue to be enforced. Caveat emptor.  Beware the dog.  Enter at  
your own risk.  There be dragons. Run away!



I agree with everything except the "Run away!" :) This is CS, the  
outcome should be deterministic... :)


Bye,
Alexander.

--
Man who sleep in beer keg wake up stickey.

http://www.Leidinger.net    Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org       netchild @ FreeBSD.org  : PGP ID = 72077137
_______________________________________________
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[EMAIL PROTECTED]"






















					Reply via email to