Bug 187079 - [jail] devfs_load_rulesets has to be enabled for mount.devfs to behave like expected
Summary: [jail] devfs_load_rulesets has to be enabled for mount.devfs to behave like e...
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 10.0-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-jail (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-26 09:50 UTC by Robert Schulze
Modified: 2014-05-04 03:54 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Schulze 2014-02-26 09:50:00 UTC
When mounting devfs into jails via mount.devfs in /etc/jail.conf, it is expected to be assigned the ruleset #4 by default, so that only basic device nodes are accessible inside the jail. However, without explicitly setting devfs_load_rulesets="YES" in /etc/rc.conf, the jail's devfs doesn't get restricted, it will contain all device nodes instead.

Fix: 

Either make devfs_load_rulesets="YES" the default in /etc/defaults/rc.conf or clearly state that this has to be set explicitly in the manpage of jail(8).
Comment 1 Meyser+bugs.freebsd.org 2014-03-06 08:17:48 UTC
I think this should fixed asap or everyone updating
FreeBSD end up in running insecure jails.

At least there should be a big fat warning in UPDATING.

Better /etc/rc.d/jail should emit a warning.

Best devfs.rules should be loaded as needed.
This would restore the old behavior an not break POLA.

with regards
    Matthias Meyser
-- 
Matthias Meyser            | XeNET GmbH
Tel.:  +49-5323-9489050    | 38678 Clausthal-Zellerfeld, Marktstrasse 40
Fax:   +49-5323-94014      | Registergericht: Amtsgericht Braunschweig HRB 
110823
Email: Meyser@xenet.de     | Geschaeftsfuehrer: Matthias Meyser
Comment 2 Mark Linimon freebsd_committer freebsd_triage 2014-03-09 15:41:47 UTC
Responsible Changed
From-To: freebsd-bugs->freebsd-jail

reclassify.
Comment 3 Robert Schulze 2014-04-30 09:12:18 UTC
This PR can be closed as of FreeBSD-SA-14:07.devfs
Comment 4 Mark Linimon freebsd_committer freebsd_triage 2014-05-04 03:53:09 UTC
State Changed
From-To: open->closed

From submitter: 

This PR can be closed as of FreeBSD-SA-14:07.devfs .