/dev/mem /dev/kmem jails and using netstat -r and snmp

[Ruben Bloemgarten]

Hi Lowell, 

I absolutely agree with you in regards to jail security, this would
effectively break jail security. My main reason for using jails is not
security however, but manageability and expandability. By now I've figured
out how to make mem and kmem available to a specicic jail. As with all *nix
related problems it was painfully simple once understood. I have managed to
enable most NMS functionality I want from inside the jail without having to
resort to this ruleset. I did want to have the option available for
development and testing reasons to be able to differentiate between what I'm
doing wrong and what is just an inherent restriction of properly deployed
jails. For a fully functional NMS solution running from inside a jail, using
very anal access restrictions from the firewall on the mainhost, I'm not
sure yet whether or not I'm actually troubled by the security NoNo access to
privileged devices generates. Anyway, thanks for your insight. Sometimes all
we need is just someone to talk to. 
By the way I am very interested in what everyone's thoughts are in regards
to jail functionality, as in security vs. the VirtualServer aspect and in
which scenario one outweighs the other.

Regards, 
Ruben 

-----Original Message-----
From: lowell at be-well.ilk.org [mailto:lowell at be-well.ilk.org] On Behalf Of
Lowell Gilbert
Sent: September 10, 2005 2:57 PM
To: ruben at bloemgarten.demon.nl
Cc: freebsd-questions at freebsd.org
Subject: Re: /dev/mem /dev/kmem jails and using netstat -r and snmp

"Ruben Bloemgarten" <rubenl at bloemgarten.demon.nl> writes:

> I seem to be a bit stuck here. I seem  to need access to /dev/mem and
> /dev/kmem from inside a jail . Specifically to be able to use netstat ?r
and
> snmp in jailed environments. I?m running FBSD 5.4-RELEASE. Could anyone
help
> me shed some light on this problem ? Thanks. 

Making kmem available in a jail seems like it can't be the right
answer to anything.  Kind of contradicts the point, I would think.

I don't see an easy way around this.  Furthermore, there are different
approaches depending on why you are trying to do this.  If you want
system statistics inside of a jail for remote monitoring, consider
whether that is the best approach; after all, network management *is*
a fundamentally privileged operation.  One way to do it would be to
feed the statistics into the jail from outside of it; this way, the
privileged operation is separated from the network-accessible code,
and not dependent on it in any way.

Good luck.


-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.20/95 - Release Date: 09/09/2005


-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.20/95 - Release Date: 09/09/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.20/95 - Release Date: 09/09/2005