namei: Make stackable filesystems check harder for jail roots
ClosedPublic
Actions

Authored by markj on May 19 2025, 3:59 PM.

Details

Reviewers

jamie
kib
olce

Commits

rG3feafab4a34c: namei: Make stackable filesystems check harder for jail roots
rG7587f6d4840f: namei: Make stackable filesystems check harder for jail roots

Summary

Suppose a process has its cwd pointing to a nullfs directory. Suppose
that the lower directory vnode is moved out from under the nullfs mount.
The nullfs vnode still shadows the lower vnode, and dotdot lookups
relative to that directory will instantiate new nullfs vnodes outside of
the nullfs mountpoint, effectively shadowing the lower filesystem.

This trick can be abused to escape a chroot, since the nullfs vnodes
instantiated by these dotdot lookups defeat the root vnode check in
vfs_lookup(), which uses vnode pointer equality to test for the process
root.

Fix this by extending nullfs and unionfs to perform the same check,
exploiting the fact that the passed componentname is embedded in a
nameidata structure to avoid changing the VOP_LOOKUP interface. That
is, add a flag to indicate that containerof can be used to get the full
nameidata structure, and perform the root vnode check on the lower vnode
when performing a dotdot lookup.

PR: 262180

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj created this revision.May 19 2025, 3:59 PM

Herald added a subscriber: imp. · View Herald TranscriptMay 19 2025, 3:59 PM

markj requested review of this revision.May 19 2025, 3:59 PM

Harbormaster completed remote builds in B64292: Diff 155698.May 19 2025, 3:59 PM

markj added a parent revision: D50417: namei: Fix cn_flags width in various places.May 19 2025, 3:59 PM

markj mentioned this in D50390: nullfs lookup: cn_flags is 64bit.May 19 2025, 4:15 PM

I appreciate the single vfs_lookup_isroot function - it took me an embarrassingly long time to discover a second copy of that code had appeared in vfs_cache.c a mere five years ago.

A question for the uninitiated about the NAMEILOOKUP flag: what other context are names looked up in, that don't have nameidata?

In D50418#1150756, @jamie wrote:

I appreciate the single vfs_lookup_isroot function - it took me an embarrassingly long time to discover a second copy of that code had appeared in vfs_cache.c a mere five years ago.

A question for the uninitiated about the NAMEILOOKUP flag: what other context are names looked up in, that don't have nameidata?

There are some VOP_LOOKUP calls in individual filesystems which manually fill out a componentname: zfs_fhtovp() contains a couple of examples. I'm not yet completely convinced that it's safe to elide all of those cases, but I'm pretty sure it is.

The check is present for nullfs but not unionfs here. Could you rather wrap the __containerof(cnp, struct nameidata, ni_cnd) into a function that will check for NAMEILOOKUP positioned, and will return NULL if it is not?

sys/fs/nullfs/null_vnops.c
404–412	This comment really applies only to the `VV_ROOT` case, so I'd move it closer to the `if ((ldvp->v_vflag & VV_ROOT) != 0)` line.

kib accepted this revision.May 19 2025, 10:34 PM

kib added inline comments.

sys/kern/vfs_lookup.c
868	Please add {} around the body.

This revision is now accepted and ready to land.May 19 2025, 10:34 PM

kib added inline comments.May 19 2025, 10:40 PM

sys/sys/namei.h
155	Please keep namei.9 up to date.

Just to be sure that my comment is not lost:

The check is present for nullfs but not unionfs here. Could you rather wrap the __containerof(cnp, struct nameidata, ni_cnd) into a function that will check for NAMEILOOKUP positioned, and will return NULL if it is not?

The change is not conceptually correct for unionfs.

This revision now requires changes to proceed.May 20 2025, 10:02 AM

markj marked 3 inline comments as done.May 22 2025, 1:56 PM

markj added inline comments.