FreeBSD-SA-21:10.jail_mount : jail escape possible by mounting over jail root
Versions Affected : All versions prior to TrueNAS 12.0-U3
Due to a race condition between lookup of “..” and remounting a filesystem, a process running inside a jail might access filesystem hierarchy outside of jail.
A process with superuser privileges running inside a jail configured with the allow.mount permission (not enabled by default) could change the root directory outside of the jail, and thus gain full read and write access to all files and directories in the system.
As a workaround, disable allow.mount permission for all jails with untrusted root users; see jail(1) and jail.conf(5) manual pages for details.
- Upgrade to TrueNAS 12.0-U3 or later.
- FreeBSD Revision : r369557
- TrueNAS Commit : f2858df
- TrueNAS Commit : ab8a956
- TrueNAS Commit : 4102526
- JIRA Ticket : NAS-109604