Lock down devfs in a jail (devfsrules)

Status
Not open for further replies.

theirman

Dabbler
Joined
Jan 30, 2014
Messages
31
Hi all,

I recently learned about devfs and how to use it to mount a /dev in a chroot environment in order for some applications to work.
Considering the locked down nature of the chroot I set up, I was quite worried about the seemingly unfettered access the jail root has over the mounted /dev.

I found out you can simply lock the mount down by applying strict devfs-rules (see /etc/devfs.rules and /etc/defaults/devfs.rules):
Code:
devfs -m ${devfs_mountpoint} rule -s ${rulenr} applyset

For the chroot in question I simply added an init script on the host to execute this command at boot.
(Any way to make the jail do this mount on start?)

My real issue is that every jail on my FreeNAS host appears to have this problem: root user (jexec $jail csh) can see all /dev-nodes like it can on the host.
I'd like to apply the devfsrules_jail ruleset to every jail upon start. Configuring the applied ruleset on a jail-by-jail basis would be ideal.

Every jail's rc.conf does have a devfs section, but modifying it doesn't change anything upon restart.
...
hostname="AJail"
devfs_enable="YES"
devfs_system_ruleset="devfsrules_common" # doesn't matter what is put here
inet6_enable="YES"
...
I'm assuming this is because the restrictions need to by set from the host system, not by the jail?

How can you make the host apply a custom ruleset to the jail's /dev mountpoint when started? Is it even possible?

This security issue was published on 30-04-2014 (http://www.freebsd.org/security/advisories/FreeBSD-SA-14:07.devfs.asc).
Subsequently PC-BSD bug #5058 (https://bugs.pcbsd.org/issues/5058) was logged over a year ago.
The fix was part of revision eadff4f8 (https://bugs.pcbsd.org/projects/fre...ions/eadff4f865ec643ea94d5fec227dc87b51e74b3f).

My experience with the jail devfs tell me this isn't part yet of FreeNAS. Is it supposed to?
Or is FreeNAS 9.3 simply still built on FreeBSD 9.0+ and is thus lacking this security patch?
If so, do we just sit tight until next version is released?

Other similar threads:
https://forums.freenas.org/index.php?threads/apply-devfs-rules-in-a-jail.26589/
https://forums.freebsd.org/threads/openvpn-server-in-jail-using-a-tun-device.22143/
The last link mentions a "jail.conf" but I cannot find this file anywhere in FreeNAS.

Thank you for reading.
My excuses for any wrongfully made assumptions.

(I didn't put this in the "bug reporting" or "feature requests" because (a) it might be known already, (b) not sure if it's a feature or just well hidden.)
 

theirman

Dabbler
Joined
Jan 30, 2014
Messages
31
No :(

Doesn't appear to be possible in FreeNAS. So I'll resort to a script to apply the devfs rules to my various jails.
 
Status
Not open for further replies.
Top