jails and output of df/mount [PATCH]

Juergen Unger j.unger at addict.de
Tue May 17 22:22:30 GMT 2005 

Hi Jeremie !

On Tue, May 17, 2005 at 11:43:24PM +0200, Jeremie Le Hen wrote:
[...]
> This works fine on a recent RELENG_5 UP kernel.  Given that this
> exposes some host configuration inside jail, it might be worth
> adding a sysctl to disable this.  However, I'm not really sure
> this kind of information could really be an attack vector or ramp.

I don't share your opinion that this exposes information not
allready known to the processes withing the jail.  For example:

with this patch I get on an sample jail here the following
output:

> jail# df -h
> Filesystem          Size    Used   Avail Capacity  Mounted on
> /dev/md3c           4.8G    148M    4.3G     3%    /data1/jail/003
> 195.49.136.4:/po    989M    275M    635M    30%    /data1/jail/003/usr/ports
> 195.49.136.4:/di    989M    189M    721M    21%    /data1/jail/003/distfiles
> 195.49.136.4:/pa    989M     83M    828M     9%    /data1/jail/003/packages
> /dev/md2001c         19G    4.0K     18G     0%    /data1/jail/003/var/spool/news
> devfs               1.0K    1.0K      0B   100%    /data1/jail/003/dev
> fdescfs             1.0K    1.0K      0B   100%    /data1/jail/003/dev/fd
> procfs              4.0K    4.0K      0B   100%    /data1/jail/003/proc
> jail# 

the processes within the jail can get the same information without
the patch if they call df for each mounted fs seperately:

> jail# df -h /
> Filesystem    Size    Used   Avail Capacity  Mounted on
> /dev/md3c     4.8G    148M    4.3G     3%    /data1/jail/003
> jail# df -h /usr/ports
> Filesystem          Size    Used   Avail Capacity  Mounted on
> 195.49.136.4:/po    989M    275M    635M    30%    /data1/jail/003/usr/ports
> jail# df -h /distfiles
> Filesystem          Size    Used   Avail Capacity  Mounted on
> 195.49.136.4:/di    989M    189M    721M    21%    /data1/jail/003/distfiles
.
[...and.so.on...]
.

that in the output the '/data1/jail/003/' path component ist shown
is another point to fix (I will make another patch for it), but
this behaviour is not changed from before.  Better it would
be only output the path at it is known to the jailed processes.

> There seems to be one small bug in your patch : once applied, we
> don't see informations about / any longer inside jails.

hmm, I think I know what you mean.  I am very sure this happens only
if the jail do not have an own filesystem (so the jails root is
not the root of a filesystem).  Should be easy to fix.  I will
make an improved patch until tomorrow.

bye,
  Juergen


-- 
ENOSIG

More information about the freebsd-hackers mailing list