[src/trunk]: src/sys/kern If we're in a chroot, and we are looking up '..', m...

[wrstuden <wrstuden%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/2c8190609801
branches:  trunk
changeset: 533096:2c8190609801
user:      wrstuden <wrstuden%NetBSD.org@localhost>
date:      Fri Jun 21 02:19:12 2002 +0000

description:
If we're in a chroot, and we are looking up '..', make sure we are
still in the chroot. If not, teleport the lookup to the chroot
and log. Closes an assisted-jail escape method pointed out by
xs%kittenz.org@localhost. Patch from xs%kittenz.org@localhost and myself

diffstat:

 sys/kern/vfs_lookup.c |  32 ++++++++++++++++++++++++++++++--
 1 files changed, 30 insertions(+), 2 deletions(-)

diffs (67 lines):

diff -r e5a2a78fa03c -r 2c8190609801 sys/kern/vfs_lookup.c
--- a/sys/kern/vfs_lookup.c     Fri Jun 21 01:38:57 2002 +0000
+++ b/sys/kern/vfs_lookup.c     Fri Jun 21 02:19:12 2002 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: vfs_lookup.c,v 1.39 2001/12/08 04:09:59 lukem Exp $    */
+/*     $NetBSD: vfs_lookup.c,v 1.40 2002/06/21 02:19:12 wrstuden Exp $ */
 
 /*
  * Copyright (c) 1982, 1986, 1989, 1993
@@ -41,7 +41,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vfs_lookup.c,v 1.39 2001/12/08 04:09:59 lukem Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_lookup.c,v 1.40 2002/06/21 02:19:12 wrstuden Exp $");
 
 #include "opt_ktrace.h"
 
@@ -57,6 +57,7 @@
 #include <sys/hash.h>
 #include <sys/malloc.h>
 #include <sys/proc.h>
+#include <sys/syslog.h>
 
 #ifdef KTRACE
 #include <sys/ktrace.h>
@@ -435,6 +436,8 @@
         * 1. If at root directory (e.g. after chroot)
         *    or at absolute root directory
         *    then ignore it so can't get out.
+        * 1a. If we have somehow gotten out of a jail, warn
+        *    and also ignore it so we can't get farther out.
         * 2. If this vnode is the root of a mounted
         *    filesystem, then replace it with the
         *    vnode which was mounted on so we take the
@@ -448,6 +451,31 @@
                                VREF(dp);
                                goto nextname;
                        }
+                       if (ndp->ni_rootdir != rootvnode) {
+                               int retval;
+                               VOP_UNLOCK(dp, 0);
+                               retval = vn_isunder(dp, ndp->ni_rootdir,
+                                   cnp->cn_proc);
+                               vn_lock(dp, LK_EXCLUSIVE | LK_RETRY);
+                               if (!retval) {
+                                   /* Oops! We got out of jail! */
+                                   log(LOG_WARNING,
+                                       "chrooted pid %d uid %d (%s) "
+                                       "detected outside of its chroot\n",
+                                       cnp->cn_proc->p_pid,
+                                       cnp->cn_proc->p_ucred->cr_uid,
+                                       cnp->cn_proc->p_comm);
+                                   /* Put us at the jail root. */
+                                   vput(dp);
+                                   dp = ndp->ni_rootdir;
+                                   ndp->ni_dvp = dp;
+                                   ndp->ni_vp = dp;
+                                   VREF(dp);
+                                   VREF(dp);
+                                   vn_lock(dp, LK_EXCLUSIVE | LK_RETRY);
+                                   goto nextname;
+                               }
+                       }
                        if ((dp->v_flag & VROOT) == 0 ||
                            (cnp->cn_flags & NOCROSSMOUNT))
                                break;