request for (security) comments on this setup
Miroslav Lachman
000.fbsd at quip.cz
Mon Sep 22 21:18:50 UTC 2008
Greg Larkin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Miroslav Lachman wrote:
>
>>Bjoern A. Zeeb wrote:
>>
>>>On Mon, 22 Sep 2008, Randy Schultz wrote:
>>>
>>>Hi,
>>>
>>>
>>>>I'm mounting some iSCSI storage in a jail. It's mounting in the jail
>>>>via
>>>>fstab.<jailname>. When the jail is up and I'm logged into the jail I
>>>>can cd
>>>>to the mount point, r/w etc., everything seems to work. What's weird
>>>>tho' is,
>>>>while a df on the parent shows the partion mounted as expected, a df
>>>>inside
>>>>the jail shows the local disk but not the iSCSI mount.
>>>>...
>>>>So, my first question is what am I missing, the second is does
>>>>mounting things
>>>>this way into a jail pose any sort of risk for escaping the jail?
>>>
>>>
>>>Does anything change if you do a
>>> sysctl security.jail.enforce_statfs=1
>>>
>>>If that's what you want you can add the following lines to
>>>/etc/sysctl.conf in the base system so it is automatically set upon
>>>boot:
>>>
>>># jails
>>>security.jail.enforce_statfs=1
>>
>>Have this any impact on security?
>>
>># sysctl -d security.jail.enforce_statfs
>>security.jail.enforce_statfs: Processes in jail cannot see all mounted
>>file systems
>>
>>For what this sysctl is implemented?
>>
>>Thanks
>>
>>Miroslav Lachman
>
>
> Hi Miroslav,
>
> - From the jail(8) man page:
>
> security.jail.enforce_statfs
>
> This MIB entry determines which information processes in a jail are
> able to get about mount-points. It affects the behaviour of the
> following syscalls: statfs(2), fstatfs(2), getfsstat(2) and
> fhstatfs(2) (as well as similar compatibility syscalls). When set
> to 0, all mount-points are available without any restrictions. When
> set to 1, only mount-points below the jail's chroot directory are
> visible. In addition to that, the path to the jail's chroot direc-
> tory is removed from the front of their pathnames. When set to 2
> (default), above syscalls can operate only on a mount-point where
> the jail's chroot directory is located.
>
> Hope that helps,
> Greg
Thank you, I forgot to open jail(8) man page before posting :)
If I understand it correct - it is just about what informations (about
mountpoints) are visible to processes inside jail without any security
impact and it is safe to use security.jail.enforce_statfs=1. Am I right?
(I am sorry for maybe dump questions, but I am not kernel/OS developer
and statfs, fstatfs, getfsstat did not tell me much)
Miroslav Lachman
More information about the freebsd-jail
mailing list