conf/152465: [jail] devfs is mounted in jails without rules if devfs.rules can't be parsed

Andrey Zholos aaz at althenia.net
Sun Nov 21 23:20:10 UTC 2010 

>Number:         152465
>Category:       conf
>Synopsis:       [jail] devfs is mounted in jails without rules if devfs.rules can't be parsed
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Nov 21 23:20:09 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Andrey Zholos
>Release:        9.0-CURRENT
>Organization:
>Environment:
FreeBSD freebsd 9.0-CURRENT-201011 FreeBSD 9.0-CURRENT-201011 #0: Wed Nov  3 18:19:06 UTC 2010     root at obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
If /etc/devfs.rules contains invalid rules and can't be parsed, devfs is
still mounted inside jails, exposing all host devices to a potentially
untrusted environment.

Because parsing of rules stops at the first error, this can happen when
the invalid rule is in a group of rules unrelated to the jail, and even
when a syntactically-correct rule becomes invalid.

For example, the rule

    add path 'ulpt*' mode 0660 group cups

becomes invalid when CUPS is deinstalled (removing the cups group).
This produces a warning, but jails are already started with full access
to devfs before the rule can be removed.

This doesn't affect jails using the standard ruleset (devfsrules_jail in
/etc/defaults/devfs.rules), only those using a custom ruleset in
/etc/devfs.rules which is specified after an invalid rule.

>How-To-Repeat:
Make a simple jail (replace "ad0"):

# mkdir -p /sandbox/{dev,etc,bin,lib,libexec}
# cp /bin/dd /sandbox/bin
# cp /lib/libc.so.* /sandbox/lib
# cp /libexec/ld-elf.so.* /sandbox/libexec
# echo 'root:*:0:0::0:0:Root:/:' > /sandbox/etc/master.passwd
# pwd_mkdb -p -d /sandbox/etc /sandbox/etc/master.passwd

/etc/rc.conf has:
jail_enable="YES"
jail_list="sandbox"
jail_sandbox_hostname="sandbox"
jail_sandbox_rootdir="/sandbox"
jail_sandbox_devfs_enable="YES"
jail_sandbox_devfs_ruleset="sandbox_rules"
jail_sandbox_exec_start="/bin/dd if=/dev/ad0 of=ad0_copy count=1"

/etc/devfs.rules has:
[sandbox_rules=100]
add hide

Normal start, jail can't access host disk:

# /etc/rc.d/jail start
Configuring jails:.
Starting jails: cannot start jail "sandbox": 
dd: /dev/ad0: No such file or directory
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list