mount: Disallow mounting over a jail root

Discussed with: jamie Approved by: so Security: CVE-2020-25584 Security: FreeBSD-SA-21:10.jail_mount
2021-04-05 17:19:15 -04:00 · 2021-04-05 17:19:15 -04:00 · 2425f5e912
commit 2425f5e912
parent 982693bb72
1 changed files with 3 additions and 3 deletions
--- a/sys/kern/vfs_mount.c
+++ b/sys/kern/vfs_mount.c
@ -956,10 +956,10 @@ vfs_domount_first(

 	/*
 	 * If the jail of the calling thread lacks permission for this type of
-	 * file system, deny immediately.
+	 * file system, or is trying to cover its own root, deny immediately.
 	 */
-	if (jailed(td->td_ucred) && !prison_allow(td->td_ucred,
-	    vfsp->vfc_prison_flag)) {
+	if (jailed(td->td_ucred) && (!prison_allow(td->td_ucred,
+	    vfsp->vfc_prison_flag) || vp == td->td_ucred->cr_prison->pr_root)) {
 		vput(vp);
 		return (EPERM);
 	}