Attachment 237282 Details for Bug 264317 – 2022-10-13 updated patch as plain diff

[patch] 2022-10-13 updated patch as plain diff

0001-Clarify-mount.devfs-and-devfs_ruleset-for-jails.txt (text/plain), 3.14 KB, created by Benjamin Spiegel on 2022-10-14 03:47:14 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Benjamin Spiegel

Created: 2022-10-14 03:47:14 UTC

Size: 3.14 KB

patch

obsolete

>diff --git a/documentation/content/en/books/handbook/jails/_index.adoc b/documentation/content/en/books/handbook/jails/_index.adoc
>index 5b2d469e0b..09f047af03 100644
>--- a/documentation/content/en/books/handbook/jails/_index.adoc
>+++ b/documentation/content/en/books/handbook/jails/_index.adoc
>@@ -197,7 +197,6 @@ The man:jail[8] manual page explains the procedure for building a jail:
> # make buildworld  <.>
> # make installworld DESTDIR=$D  <.>
> # make distribution DESTDIR=$D  <.>
>-# mount -t devfs devfs $D/dev   <.>
> ....
> 
> <.> Selecting a location for a jail is the best starting point. This is where the jail will physically reside within the file system of the jail's host. A good choice can be [.filename]#/usr/jail/jailname#, where _jailname_ is the hostname identifying the jail. Usually, [.filename]#/usr/# has enough space for the jail file system, which for "complete" jails is, essentially, a replication of every file present in a default installation of the FreeBSD base system.
>@@ -207,8 +206,6 @@ The man:jail[8] manual page explains the procedure for building a jail:
> <.> This command will populate the directory subtree chosen as jail's physical location on the file system with the necessary binaries, libraries, manual pages and so on.
> <.> The `distribution` target for make installs every needed configuration file. In simple words, it installs every installable file of [.filename]#/usr/src/etc/# to the [.filename]#/etc# directory of the jail environment: [.filename]#$D/etc/#.
> 
>-<.> Mounting the man:devfs[8] file system inside a jail is not required. On the other hand, any, or almost any application requires access to at least one device, depending on the purpose of the given application. It is very important to control access to devices from inside a jail, as improper settings could permit an attacker to do nasty things in the jail. Control over man:devfs[8] is managed through rulesets which are described in the man:devfs[8] and man:devfs.conf[5] manual pages.
>-
> === Configuring the Host
> 
> Once a jail is installed, it can be started by using the man:jail[8] utility.
>@@ -217,6 +214,13 @@ Other arguments may be specified too, e.g., to run the jailed process with the c
> The `_command_` argument depends on the type of the jail; for a _virtual system_, [.filename]#/etc/rc# is a good choice, since it will replicate the startup sequence of a real FreeBSD system.
> For a _service_ jail, it depends on the service or application that will run within the jail.
> 
>+Many applications need access to at least one device.
>+To make devices available in a jail, mount the man:devfs[8] file system in the jail by specifying `_mount.devfs_`.
>+It is very important to control access to devices from inside a jail, as improper settings could permit an attacker to do nasty things from the jail.
>+This access is managed with rulesets, as described in man:devfs[8] and man:devfs.conf[5].
>+When `_mount.devfs_` is specified, a default ruleset for jails is applied.
>+Optionally, add the `_devfs_ruleset_` argument to define a different ruleset for the jail.
>+
> Jails are often started at boot time and the FreeBSD [.filename]#rc# mechanism provides an easy way to do this.
> 
> [.procedure]

Flags:

bspiegel100: maintainer-approval?

Actions: View | Diff

Attachments on bug 264317: 234299 | 234300 | 237282