Date: Mon, 22 Sep 2008 23:19:16 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> To: glarkin@FreeBSD.org Cc: freebsd-jail@freebsd.org Subject: Re: request for (security) comments on this setup Message-ID: <48D80BD4.8050505@quip.cz> In-Reply-To: <48D7F756.9040704@FreeBSD.org> References: <Pine.BSF.4.64.0809220809440.16549@tdream.lly.earlham.edu> <20080922155111.T65801@maildrop.int.zabbadoz.net> <48D7EEA3.4040504@quip.cz> <48D7F756.9040704@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Greg Larkin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Miroslav Lachman wrote: > >>Bjoern A. Zeeb wrote: >> >>>On Mon, 22 Sep 2008, Randy Schultz wrote: >>> >>>Hi, >>> >>> >>>>I'm mounting some iSCSI storage in a jail. It's mounting in the jail >>>>via >>>>fstab.<jailname>. When the jail is up and I'm logged into the jail I >>>>can cd >>>>to the mount point, r/w etc., everything seems to work. What's weird >>>>tho' is, >>>>while a df on the parent shows the partion mounted as expected, a df >>>>inside >>>>the jail shows the local disk but not the iSCSI mount. >>>>... >>>>So, my first question is what am I missing, the second is does >>>>mounting things >>>>this way into a jail pose any sort of risk for escaping the jail? >>> >>> >>>Does anything change if you do a >>> sysctl security.jail.enforce_statfs=1 >>> >>>If that's what you want you can add the following lines to >>>/etc/sysctl.conf in the base system so it is automatically set upon >>>boot: >>> >>># jails >>>security.jail.enforce_statfs=1 >> >>Have this any impact on security? >> >># sysctl -d security.jail.enforce_statfs >>security.jail.enforce_statfs: Processes in jail cannot see all mounted >>file systems >> >>For what this sysctl is implemented? >> >>Thanks >> >>Miroslav Lachman > > > Hi Miroslav, > > - From the jail(8) man page: > > security.jail.enforce_statfs > > This MIB entry determines which information processes in a jail are > able to get about mount-points. It affects the behaviour of the > following syscalls: statfs(2), fstatfs(2), getfsstat(2) and > fhstatfs(2) (as well as similar compatibility syscalls). When set > to 0, all mount-points are available without any restrictions. When > set to 1, only mount-points below the jail's chroot directory are > visible. In addition to that, the path to the jail's chroot direc- > tory is removed from the front of their pathnames. When set to 2 > (default), above syscalls can operate only on a mount-point where > the jail's chroot directory is located. > > Hope that helps, > Greg Thank you, I forgot to open jail(8) man page before posting :) If I understand it correct - it is just about what informations (about mountpoints) are visible to processes inside jail without any security impact and it is safe to use security.jail.enforce_statfs=1. Am I right? (I am sorry for maybe dump questions, but I am not kernel/OS developer and statfs, fstatfs, getfsstat did not tell me much) Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48D80BD4.8050505>