diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2021-04-06 18:57:57 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2021-04-06 19:02:24 +0000 |
| commit | d50b66a6c387930377f94c9362343cca8ddc0886 (patch) | |
| tree | 8b367dc2f833e0ce67af3251ea1035918fd49efc | |
| parent | e7b28b5bb38ed942bc49b4cf9d313f9a051c9966 (diff) | |
| download | src-d50b66a6c387930377f94c9362343cca8ddc0886.tar.gz src-d50b66a6c387930377f94c9362343cca8ddc0886.zip | |
mount: Disallow mounting over a jail root
Discussed with: jamie
Approved by: so
Security: CVE-2020-25584
Security: FreeBSD-SA-21:10.jail_mount
(cherry picked from commit 110ebf0886825227d03d2ab17139a8741272aef5)
| -rw-r--r-- | sys/kern/vfs_mount.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/sys/kern/vfs_mount.c b/sys/kern/vfs_mount.c index afbb3e313d75..a7db7a3dd9d4 100644 --- a/sys/kern/vfs_mount.c +++ b/sys/kern/vfs_mount.c @@ -844,10 +844,10 @@ vfs_domount_first( /* * If the jail of the calling thread lacks permission for this type of - * file system, deny immediately. + * file system, or is trying to cover its own root, deny immediately. */ - if (jailed(td->td_ucred) && !prison_allow(td->td_ucred, - vfsp->vfc_prison_flag)) { + if (jailed(td->td_ucred) && (!prison_allow(td->td_ucred, + vfsp->vfc_prison_flag) || vp == td->td_ucred->cr_prison->pr_root)) { vput(vp); return (EPERM); } |