request for (security) comments on this setup

Greg Larkin glarkin at FreeBSD.org
Mon Sep 22 22:22:24 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Miroslav Lachman wrote:
> Greg Larkin wrote:
[...]
>>
>>
>> Hi Miroslav,
>>
>> - From the jail(8) man page:
>>
>> security.jail.enforce_statfs
>>
>> This MIB entry determines which information processes in a jail are
>> able to get about mount-points.  It affects the behaviour of the
>> following syscalls: statfs(2), fstatfs(2), getfsstat(2) and
>> fhstatfs(2) (as well as similar compatibility syscalls).  When set
>> to 0, all mount-points are available without any restrictions.  When
>> set to 1, only mount-points below the jail's chroot directory are
>> visible.  In addition to that, the path to the jail's chroot direc-
>> tory is removed from the front of their pathnames.  When set to 2
>> (default), above syscalls can operate only on a mount-point where
>> the jail's chroot directory is located.
>>
>> Hope that helps,
>> Greg
> 
> Thank you, I forgot to open jail(8) man page before posting :)
> If I understand it correct - it is just about what informations (about
> mountpoints) are visible to processes inside jail without any security
> impact and it is safe to use security.jail.enforce_statfs=1. Am I right?
> (I am sorry for maybe dump questions, but I am not kernel/OS developer
> and statfs, fstatfs, getfsstat did not tell me much)
> 

No worries - I did a little experiment with a jail I have running to
show you what the jail can see for different settings of the sysctl:

- ---> enforce_statfs=2 (default)

[glarkin at r90-3 ~]$ df
Filesystem  1K-blocks    Used   Avail Capacity  Mounted on
/dev/da1s1d   8119416 6401772 1068092    86%    /

- ---> enforce_statfs=1

[glarkin at r90-3 ~]$ df
Filesystem  1K-blocks    Used   Avail Capacity  Mounted on
/dev/da1s1d   8119416 6401772 1068092    86%    /
devfs               1       1       0   100%    /dev
procfs              4       4       0   100%    /proc

- ---> enforce_statfs=0

[glarkin at r90-3 ~]$ df
Filesystem  1K-blocks    Used   Avail Capacity  Mounted on
/dev/da0s1a    507630   46858  420162    10%    /
devfs               1       1       0   100%    /dev
/dev/da0s1e    444142   91984  316628    23%    /tmp
/dev/da0s1g   5074328  985860 3682522    21%    /usr
/dev/da0s1d     63214   20352   37806    35%    /usr/home
/dev/da0s1f   1012974  280278  651660    30%    /var
/dev/da1s1d   8119416 6401772 1068092    86%    /SHN
/dev/da3s1d   2025328 1128128  735174    61%    /usr/ports
/dev/da2s1d   2025328  444708 1418594    24%    /usr/src
devfs               1       1       0   100%    /var/named/dev
devfs               1       1       0   100%    /SHN/Jails/Jail3/dev
procfs              4       4       0   100%    /SHN/Jails/Jail3/proc


It looks like setting 1 or 2 is sufficient for programs executing in the
jail.  If the sysctl is set to 0, you can see the filesystems on the
host server, but you still can't access them, as far as I can tell.

Regards,
Greg
- --
Greg Larkin

http://www.FreeBSD.org/       - The Power To Serve
http://www.sourcehosting.net/ - Ready. Set. Code.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI2Bqg0sRouByUApARAgEMAJwLD3pvD66vwnSIPst+Xnir5UYDhACgoNat
+WeCH3jD8R3lxvYoX3xYwnE=
=i8Rd
-----END PGP SIGNATURE-----

More information about the freebsd-jail mailing list