diff options
author | Jamie Gritton <jamie@FreeBSD.org> | 2021-02-19 22:13:35 +0000 |
---|---|---|
committer | Mark Johnston <markj@FreeBSD.org> | 2021-02-24 01:41:57 +0000 |
commit | 4dd124c3171db9cd7fbcc49d8081de590a065d0b (patch) | |
tree | f1139609139fbb11e28a0d15d5e641de0fff0ceb | |
parent | b306be13a9c7ea0db8979a8a53dca93f90ec59cc (diff) | |
download | src-4dd124c3171db9cd7fbcc49d8081de590a065d0b.tar.gz src-4dd124c3171db9cd7fbcc49d8081de590a065d0b.zip |
MFC jail: Change both root and working directories in jail_attach(2)
jail_attach(2) performs an internal chroot operation, leaving it up to
the calling process to assure the working directory is inside the jail.
Add a matching internal chdir operation to the jail's root. Also
ignore kern.chroot_allow_open_directories, and always disallow the
operation if there are any directory descriptors open.
Approved by: so
Security: CVE-2020-25582
Security: FreeBSD-SA-21:05.jail_chdir
Reported by: mjg
Approved by: markj, kib
(cherry picked from commit d4380c0cdd0517dc038403dd5c99242ce78bdeb5)
(cherry picked from commit ca9ab8ea17748a1758701fde262cb272fb757989)
-rw-r--r-- | lib/libc/sys/jail.2 | 5 | ||||
-rw-r--r-- | sys/kern/kern_descrip.c | 40 | ||||
-rw-r--r-- | sys/kern/kern_jail.c | 2 | ||||
-rw-r--r-- | sys/sys/filedesc.h | 1 |
4 files changed, 42 insertions, 6 deletions
diff --git a/lib/libc/sys/jail.2 b/lib/libc/sys/jail.2 index 2e13a6c3a381..82c2e97d4a7b 100644 --- a/lib/libc/sys/jail.2 +++ b/lib/libc/sys/jail.2 @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd February 8, 2012 +.Dd February 19, 2021 .Dt JAIL 2 .Os .Sh NAME @@ -228,6 +228,9 @@ The system call attaches the current process to an existing jail, identified by .Fa jid . +It changes the process's root and current directories to the jail's +.Va path +directory. .Pp The .Fn jail_remove diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c index cda64931779b..b61b6bc2d66e 100644 --- a/sys/kern/kern_descrip.c +++ b/sys/kern/kern_descrip.c @@ -3216,10 +3216,9 @@ chroot_refuse_vdir_fds(struct filedesc *fdp) } /* - * Common routine for kern_chroot() and jail_attach(). The caller is - * responsible for invoking priv_check() and mac_vnode_check_chroot() to - * authorize this operation. - */ +* The caller is responsible for invoking priv_check() and +* mac_vnode_check_chroot() to authorize this operation. +*/ int pwd_chroot(struct thread *td, struct vnode *vp) { @@ -3266,6 +3265,39 @@ pwd_chdir(struct thread *td, struct vnode *vp) } /* + * jail_attach(2) changes both root and working directories. + */ +int +pwd_chroot_chdir(struct thread *td, struct vnode *vp) +{ + struct filedesc *fdp; + struct vnode *oldvrp, *oldvcp; + int error; + + fdp = td->td_proc->p_fd; + FILEDESC_XLOCK(fdp); + error = chroot_refuse_vdir_fds(fdp); + if (error != 0) { + FILEDESC_XUNLOCK(fdp); + return (error); + } + oldvrp = fdp->fd_rdir; + vrefact(vp); + fdp->fd_rdir = vp; + oldvcp = fdp->fd_cdir; + vrefact(vp); + fdp->fd_cdir = vp; + if (fdp->fd_jdir == NULL) { + vrefact(vp); + fdp->fd_jdir = vp; + } + FILEDESC_XUNLOCK(fdp); + vrele(oldvrp); + vrele(oldvcp); + return (0); +} + +/* * Scan all active processes and prisons to see if any of them have a current * or root directory of `olddp'. If so, replace them with the new mount point. */ diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index b4a20b4d29e9..46b43fa7bbc2 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -2437,7 +2437,7 @@ do_jail_attach(struct thread *td, struct prison *pr) goto e_unlock; #endif VOP_UNLOCK(pr->pr_root, 0); - if ((error = pwd_chroot(td, pr->pr_root))) + if ((error = pwd_chroot_chdir(td, pr->pr_root))) goto e_revert_osd; newcred = crget(); diff --git a/sys/sys/filedesc.h b/sys/sys/filedesc.h index db5debcfe7c8..ca85f49d7997 100644 --- a/sys/sys/filedesc.h +++ b/sys/sys/filedesc.h @@ -243,6 +243,7 @@ fd_modified(struct filedesc *fdp, int fd, seq_t seq) /* cdir/rdir/jdir manipulation functions. */ void pwd_chdir(struct thread *td, struct vnode *vp); int pwd_chroot(struct thread *td, struct vnode *vp); +int pwd_chroot_chdir(struct thread *td, struct vnode *vp); void pwd_ensure_dirs(void); #endif /* _KERNEL */ |