conf/152465: [jail] devfs is mounted in jails without rules if
devfs.rules can't be parsed
Andrey Zholos
aaz at althenia.net
Sun Nov 21 23:20:10 UTC 2010
>Number: 152465
>Category: conf
>Synopsis: [jail] devfs is mounted in jails without rules if devfs.rules can't be parsed
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Nov 21 23:20:09 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Andrey Zholos
>Release: 9.0-CURRENT
>Organization:
>Environment:
FreeBSD freebsd 9.0-CURRENT-201011 FreeBSD 9.0-CURRENT-201011 #0: Wed Nov 3 18:19:06 UTC 2010 root at obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
If /etc/devfs.rules contains invalid rules and can't be parsed, devfs is
still mounted inside jails, exposing all host devices to a potentially
untrusted environment.
Because parsing of rules stops at the first error, this can happen when
the invalid rule is in a group of rules unrelated to the jail, and even
when a syntactically-correct rule becomes invalid.
For example, the rule
add path 'ulpt*' mode 0660 group cups
becomes invalid when CUPS is deinstalled (removing the cups group).
This produces a warning, but jails are already started with full access
to devfs before the rule can be removed.
This doesn't affect jails using the standard ruleset (devfsrules_jail in
/etc/defaults/devfs.rules), only those using a custom ruleset in
/etc/devfs.rules which is specified after an invalid rule.
>How-To-Repeat:
Make a simple jail (replace "ad0"):
# mkdir -p /sandbox/{dev,etc,bin,lib,libexec}
# cp /bin/dd /sandbox/bin
# cp /lib/libc.so.* /sandbox/lib
# cp /libexec/ld-elf.so.* /sandbox/libexec
# echo 'root:*:0:0::0:0:Root:/:' > /sandbox/etc/master.passwd
# pwd_mkdb -p -d /sandbox/etc /sandbox/etc/master.passwd
/etc/rc.conf has:
jail_enable="YES"
jail_list="sandbox"
jail_sandbox_hostname="sandbox"
jail_sandbox_rootdir="/sandbox"
jail_sandbox_devfs_enable="YES"
jail_sandbox_devfs_ruleset="sandbox_rules"
jail_sandbox_exec_start="/bin/dd if=/dev/ad0 of=ad0_copy count=1"
/etc/devfs.rules has:
[sandbox_rules=100]
add hide
Normal start, jail can't access host disk:
# /etc/rc.d/jail start
Configuring jails:.
Starting jails: cannot start jail "sandbox":
dd: /dev/ad0: No such file or directory
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list