Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 30 Apr 2014 11:45:10 -0700
From:      Xin Li <delphij@delphij.net>
To:        Matthew Seaman <matthew@freebsd.org>, freebsd-security@freebsd.org
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-14:07.devfs
Message-ID:  <536144B6.7030305@delphij.net>
In-Reply-To: <5360D9CF.6000103@freebsd.org>
References:  <201404300435.s3U4ZA45093722@freefall.freebsd.org> <5360D9CF.6000103@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 04/30/14 04:09, Matthew Seaman wrote:
> On 04/30/14 05:35, FreeBSD Security Advisories wrote:
>> Then apply the default ruleset for jails on a devfs mount using:
>> 
>> devfs -m ${devfs_mountpoint} rule -s 4 applyset
>> 
>> Or, alternatively, the following command will apply the ruleset
>> over all devfs mountpoints except the host one:
>> 
>> mount -t devfs | grep -v '^devfs on /dev ' | awk '{print $3;}' |
>> \ xargs -n 1 -J % devfs -m % rule -s 4 applyset
>> 
>> After this, the system administrator should add the following
>> configuration to /etc/rc.conf to make it permanent, so the above
>> operations do not have to be done each time the host system
>> reboots.
>> 
>> devfs_load_rulesets="YES"
>> 
> 
> Verb. Sap.  Doing this in a jail where you're running net-snmpd
> will prevent snmpd from starting up correctly.
> 
> Apr 30 12:02:30 xxxxx snmpd[33871]: init_kmem: kvm_openfiles
> failed: /dev/mem: No such file or directory Apr 30 12:02:30 xxxxx
> snmpd[33871]: Agent initialization failed

This is pretty much expected behavior.

The reason is that /dev/mem provides an interface to physical memory,
this would have defeated the purpose of doing jails by definition.

It would be interesting to find out if we could teach net-snmpd to use
alternative methods to access data it needs, e.g. via sysctl I think?
 Not all data are exposed via sysctl at this time, though.

Cheers,
- -- 
Xin LI <delphij@delphij.net>    https://www.delphij.net/
FreeBSD - The Power to Serve!           Live free or die

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?536144B6.7030305>