[PATCH] Dangerous jail()<->ioctl interactions.
Wojciech A. Koszek
dunstan at freebsd.czest.pl
Sat Feb 26 14:17:41 GMT 2005
On Thu, Feb 24, 2005 at 01:03:17AM +0800, Xin LI wrote:
> On Mon, Feb 21, 2005 at 10:16:56PM +0000, Wojciech A. Koszek wrote:
> > Hello hackers,
> > I would like to let you know I've been doing [partial] audit of ioctl()
> > connections.
> Default devfs configuration for a jail is not to mount it. Additionally, the
> default devfs ruleset hides everything but a limited set of pseudo devices that
> should be commen for applications to consume. Therefore, I'd rather say that
> it's a configuration mistake of the user (^_^)
> Do you imply that there are other devices that enforce check against whether they
> are ioctl'ed in jail?
I agree these files should not appear inside jailed environment. I've just
pointed devices, which are not secured by underlying code (I mean just like
ioctl()ing interface files, which are secured with general ioctl() handler
making suser() test).
* Wojciech A. Koszek && dunstan at FreeBSD.czest.pl
More information about the freebsd-hackers