Date: Sun, 21 Nov 2010 23:17:36 GMT From: Andrey Zholos <aaz@althenia.net> To: freebsd-gnats-submit@FreeBSD.org Subject: conf/152465: [jail] devfs is mounted in jails without rules if devfs.rules can't be parsed Message-ID: <201011212317.oALNHadV007706@red.freebsd.org> Resent-Message-ID: <201011212320.oALNK9FC082824@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 152465 >Category: conf >Synopsis: [jail] devfs is mounted in jails without rules if devfs.rules can't be parsed >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Nov 21 23:20:09 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Andrey Zholos >Release: 9.0-CURRENT >Organization: >Environment: FreeBSD freebsd 9.0-CURRENT-201011 FreeBSD 9.0-CURRENT-201011 #0: Wed Nov 3 18:19:06 UTC 2010 root@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: If /etc/devfs.rules contains invalid rules and can't be parsed, devfs is still mounted inside jails, exposing all host devices to a potentially untrusted environment. Because parsing of rules stops at the first error, this can happen when the invalid rule is in a group of rules unrelated to the jail, and even when a syntactically-correct rule becomes invalid. For example, the rule add path 'ulpt*' mode 0660 group cups becomes invalid when CUPS is deinstalled (removing the cups group). This produces a warning, but jails are already started with full access to devfs before the rule can be removed. This doesn't affect jails using the standard ruleset (devfsrules_jail in /etc/defaults/devfs.rules), only those using a custom ruleset in /etc/devfs.rules which is specified after an invalid rule. >How-To-Repeat: Make a simple jail (replace "ad0"): # mkdir -p /sandbox/{dev,etc,bin,lib,libexec} # cp /bin/dd /sandbox/bin # cp /lib/libc.so.* /sandbox/lib # cp /libexec/ld-elf.so.* /sandbox/libexec # echo 'root:*:0:0::0:0:Root:/:' > /sandbox/etc/master.passwd # pwd_mkdb -p -d /sandbox/etc /sandbox/etc/master.passwd /etc/rc.conf has: jail_enable="YES" jail_list="sandbox" jail_sandbox_hostname="sandbox" jail_sandbox_rootdir="/sandbox" jail_sandbox_devfs_enable="YES" jail_sandbox_devfs_ruleset="sandbox_rules" jail_sandbox_exec_start="/bin/dd if=/dev/ad0 of=ad0_copy count=1" /etc/devfs.rules has: [sandbox_rules=100] add hide Normal start, jail can't access host disk: # /etc/rc.d/jail start Configuring jails:. Starting jails: cannot start jail "sandbox": dd: /dev/ad0: No such file or directory >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201011212317.oALNHadV007706>