When mounting devfs into jails via mount.devfs in /etc/jail.conf, it is expected to be assigned the ruleset #4 by default, so that only basic device nodes are accessible inside the jail. However, without explicitly setting devfs_load_rulesets="YES" in /etc/rc.conf, the jail's devfs doesn't get restricted, it will contain all device nodes instead. Fix: Either make devfs_load_rulesets="YES" the default in /etc/defaults/rc.conf or clearly state that this has to be set explicitly in the manpage of jail(8).
I think this should fixed asap or everyone updating FreeBSD end up in running insecure jails. At least there should be a big fat warning in UPDATING. Better /etc/rc.d/jail should emit a warning. Best devfs.rules should be loaded as needed. This would restore the old behavior an not break POLA. with regards Matthias Meyser -- Matthias Meyser | XeNET GmbH Tel.: +49-5323-9489050 | 38678 Clausthal-Zellerfeld, Marktstrasse 40 Fax: +49-5323-94014 | Registergericht: Amtsgericht Braunschweig HRB 110823 Email: Meyser@xenet.de | Geschaeftsfuehrer: Matthias Meyser
Responsible Changed From-To: freebsd-bugs->freebsd-jail reclassify.
This PR can be closed as of FreeBSD-SA-14:07.devfs
State Changed From-To: open->closed From submitter: This PR can be closed as of FreeBSD-SA-14:07.devfs .