Problem Description:
The nullfs(5) implementation of the VOP_LINK(9) VFS
operation does not check whether the source and target of
the link are both in the same nullfs instance. It is
therefore possible to create a hardlink from a location in
one nullfs instance to a file in another, as long as the
underlying (source) filesystem is the same.
Impact:
If multiple nullfs views into the same filesystem are
mounted in different locations, a user with read access to
one of these views and write access to another will be able
to create a hard link from the latter to a file in the
former, even though they are, from the user's perspective,
different filesystems. The user may thereby gain write
access to files which are nominally on a read-only
filesystem.