I am trying to setp a jail in RELENG_6, and cannot apply the jail ruleset (ruleset 4) to the jail devfs mount point. The system also hangs if I try to apply the rules individually. I raised PR/93423 for this issue. See http://www.freebsd.org/cgi/query-pr.cgi?pr=93423 for details I am wondering if anyone else has had any success securing their jails (ie removing device nodes such as those that provide raw access to disks) ?
On Tue, Feb 21, 2006 at 08:10:31PM +1000, Andrew Hacking wrote:> I am trying to setp a jail in RELENG_6, and cannot apply the jail > ruleset (ruleset 4) to the jail devfs mount point. The system also > hangs if I try to apply the rules individually. > > I raised PR/93423 for this issue. See > http://www.freebsd.org/cgi/query-pr.cgi?pr=93423 for details > > I am wondering if anyone else has had any success securing their jails > (ie removing device nodes such as those that provide raw access to > disks) ?Jails and devfs rules work fine for me: %uname -a FreeBSD s2.stc 6.0-STABLE FreeBSD 6.0-STABLE #0: Fri Nov 11 04:03:19 MSK 2005 igorr@s2.stc:/usr/build/usr/src/sys/S2 i386 %jls JID IP Address Hostname Path 3 192.168.2.52 samba-pdc.stc /home/jail/samba 2 192.168.2.51 mail2.stc /home/jail/mail 1 192.168.2.50 ldap.stc /home/jail/ldap %mount ... /dev/mirror/home on /home (ufs, local, soft-updates) devfs on /home/jail/ldap/dev (devfs, local) devfs on /home/jail/mail/dev (devfs, local) devfs on /home/jail/samba/dev (devfs, local) %ls /home/jail/samba/dev/ fd null ptyp1 stderr stdout ttyp1 zero log ptyp0 random stdin ttyp0 urandom %grep devfs /etc/rc.conf jail_mail_devfs_enable="YES" jail_samba_devfs_enable="YES" jail_ldap_devfs_enable="YES"
On 2/21/06, Andrew Hacking <ahacking@gmail.com> wrote:> I am trying to setp a jail in RELENG_6, and cannot apply the jail > ruleset (ruleset 4) to the jail devfs mount point. The system also > hangs if I try to apply the rules individually. > > I raised PR/93423 for this issue. See > http://www.freebsd.org/cgi/query-pr.cgi?pr=93423 for details > > I am wondering if anyone else has had any success securing their jails > (ie removing device nodes such as those that provide raw access to > disks) ?-- cut here -- jail_enable="YES" jail_list="j1" jail_j1_rootdir="/mnt/store/jails/j1" jail_j1_hostname="j1.freebsd.domain" jail_j1_ip="<ip>" jail_j1_exec_start="/bin/sh /etc/rc" jail_j1_exec_stop="/bin/sh /etc/rc.shutdown" jail_j1_devfs_enable="YES" jail_j1_devfs_ruleset="devfsrules_jail" jail_j1_fstab="" jail_j1_procfs_enable="YES" -- and here -- My /etc/devfs.rules is a symlink to /etc/defaults/devfs.rules. In the jail I can only see: -- cut here -- j1# ls /dev/ fd null ptyp1 ptyp3 random stdin ttyp0 ttyp2 ttyp4 zero log ptyp0 ptyp2 ptyp4 stderr stdout ttyp1 ttyp3 urandom j1# -- and here -- HTH. -- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it.