Date: Wed, 30 Apr 2014 11:45:10 -0700 From: Xin Li <delphij@delphij.net> To: Matthew Seaman <matthew@freebsd.org>, freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:07.devfs Message-ID: <536144B6.7030305@delphij.net> In-Reply-To: <5360D9CF.6000103@freebsd.org> References: <201404300435.s3U4ZA45093722@freefall.freebsd.org> <5360D9CF.6000103@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 04/30/14 04:09, Matthew Seaman wrote: > On 04/30/14 05:35, FreeBSD Security Advisories wrote: >> Then apply the default ruleset for jails on a devfs mount using: >> >> devfs -m ${devfs_mountpoint} rule -s 4 applyset >> >> Or, alternatively, the following command will apply the ruleset >> over all devfs mountpoints except the host one: >> >> mount -t devfs | grep -v '^devfs on /dev ' | awk '{print $3;}' | >> \ xargs -n 1 -J % devfs -m % rule -s 4 applyset >> >> After this, the system administrator should add the following >> configuration to /etc/rc.conf to make it permanent, so the above >> operations do not have to be done each time the host system >> reboots. >> >> devfs_load_rulesets="YES" >> > > Verb. Sap. Doing this in a jail where you're running net-snmpd > will prevent snmpd from starting up correctly. > > Apr 30 12:02:30 xxxxx snmpd[33871]: init_kmem: kvm_openfiles > failed: /dev/mem: No such file or directory Apr 30 12:02:30 xxxxx > snmpd[33871]: Agent initialization failed This is pretty much expected behavior. The reason is that /dev/mem provides an interface to physical memory, this would have defeated the purpose of doing jails by definition. It would be interesting to find out if we could teach net-snmpd to use alternative methods to access data it needs, e.g. via sysctl I think? Not all data are exposed via sysctl at this time, though. Cheers, - -- Xin LI <delphij@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?536144B6.7030305>