I. 背景 - Background

The jail(2) system call allows a system administrator to lock a process and all of its descendants inside an environment with a very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more powerful than, the traditional UNIX chroot(2) system call.
The device file system, or devfs(5), provides access to kernel's device namespace in the global file system namespace. This includes access to to system devices such as storage devices, kernel and system memory devices, BPF devices, and serial port devices. Devfs is is generally mounted as /dev. Devfs rulesets allow an administrator to hide certain device nodes; this is most commonly applied to a devfs mounted for use inside a jail, in order to make devices inaccessible to processes within that jail.

II. 問題の詳細 - Problem Description

Due to insufficient parameter checking of the node type during device creation, any user can expose hidden device nodes on devfs mounted file systems within their jail. Device nodes will be created in the jail with their normal default access permissions.

III. 影響範囲 - Impact

Jailed processes can get access to restricted resources on the host system. For jailed processes running with superuser privileges this implies access to all devices on the system. This level of access can lead to information leakage and privilege escalation.

IV. 回避方法 - Workaround

Unmount device file systems mounted inside jails. Note that certain device nodes, such as /dev/null, may be required for some software to function correctly.
This can be done by executing the following command as root:

umount -A -t devfs

Also, remove or comment out any lines in fstab(5) that reference `devfs' and has a mount point within a jail, so that they will not be re-mounted at next reboot.
Some device file systems might be busy, including the host's main /dev file system, and processes accessing these must be shut down before the device file system can be unmounted. The hosts main device file system, mounted as /dev, should not be unmounted since it is required for normal system operation.

><