Hi all,
I recently learned about devfs and how to use it to mount a /dev in a chroot environment in order for some applications to work.
Considering the locked down nature of the chroot I set up, I was quite worried about the seemingly unfettered access the jail root has over the mounted /dev.
I found out you can simply lock the mount down by applying strict devfs-rules (see /etc/devfs.rules and /etc/defaults/devfs.rules):
For the chroot in question I simply added an init script on the host to execute this command at boot.
(Any way to make the jail do this mount on start?)
My real issue is that every jail on my FreeNAS host appears to have this problem: root user (jexec $jail csh) can see all /dev-nodes like it can on the host.
I'd like to apply the devfsrules_jail ruleset to every jail upon start. Configuring the applied ruleset on a jail-by-jail basis would be ideal.
Every jail's rc.conf does have a devfs section, but modifying it doesn't change anything upon restart.
How can you make the host apply a custom ruleset to the jail's /dev mountpoint when started? Is it even possible?
This security issue was published on 30-04-2014 (http://www.freebsd.org/security/advisories/FreeBSD-SA-14:07.devfs.asc).
Subsequently PC-BSD bug #5058 (https://bugs.pcbsd.org/issues/5058) was logged over a year ago.
The fix was part of revision eadff4f8 (https://bugs.pcbsd.org/projects/fre...ions/eadff4f865ec643ea94d5fec227dc87b51e74b3f).
My experience with the jail devfs tell me this isn't part yet of FreeNAS. Is it supposed to?
Or is FreeNAS 9.3 simply still built on FreeBSD 9.0+ and is thus lacking this security patch?
If so, do we just sit tight until next version is released?
Other similar threads:
https://forums.freenas.org/index.php?threads/apply-devfs-rules-in-a-jail.26589/
https://forums.freebsd.org/threads/openvpn-server-in-jail-using-a-tun-device.22143/
The last link mentions a "jail.conf" but I cannot find this file anywhere in FreeNAS.
Thank you for reading.
My excuses for any wrongfully made assumptions.
(I didn't put this in the "bug reporting" or "feature requests" because (a) it might be known already, (b) not sure if it's a feature or just well hidden.)
I recently learned about devfs and how to use it to mount a /dev in a chroot environment in order for some applications to work.
Considering the locked down nature of the chroot I set up, I was quite worried about the seemingly unfettered access the jail root has over the mounted /dev.
I found out you can simply lock the mount down by applying strict devfs-rules (see /etc/devfs.rules and /etc/defaults/devfs.rules):
Code:
devfs -m ${devfs_mountpoint} rule -s ${rulenr} applyset
For the chroot in question I simply added an init script on the host to execute this command at boot.
(Any way to make the jail do this mount on start?)
My real issue is that every jail on my FreeNAS host appears to have this problem: root user (jexec $jail csh) can see all /dev-nodes like it can on the host.
I'd like to apply the devfsrules_jail ruleset to every jail upon start. Configuring the applied ruleset on a jail-by-jail basis would be ideal.
Every jail's rc.conf does have a devfs section, but modifying it doesn't change anything upon restart.
I'm assuming this is because the restrictions need to by set from the host system, not by the jail?...
hostname="AJail"
devfs_enable="YES"
devfs_system_ruleset="devfsrules_common" # doesn't matter what is put here
inet6_enable="YES"
...
How can you make the host apply a custom ruleset to the jail's /dev mountpoint when started? Is it even possible?
This security issue was published on 30-04-2014 (http://www.freebsd.org/security/advisories/FreeBSD-SA-14:07.devfs.asc).
Subsequently PC-BSD bug #5058 (https://bugs.pcbsd.org/issues/5058) was logged over a year ago.
The fix was part of revision eadff4f8 (https://bugs.pcbsd.org/projects/fre...ions/eadff4f865ec643ea94d5fec227dc87b51e74b3f).
My experience with the jail devfs tell me this isn't part yet of FreeNAS. Is it supposed to?
Or is FreeNAS 9.3 simply still built on FreeBSD 9.0+ and is thus lacking this security patch?
If so, do we just sit tight until next version is released?
Other similar threads:
https://forums.freenas.org/index.php?threads/apply-devfs-rules-in-a-jail.26589/
https://forums.freebsd.org/threads/openvpn-server-in-jail-using-a-tun-device.22143/
The last link mentions a "jail.conf" but I cannot find this file anywhere in FreeNAS.
Thank you for reading.
My excuses for any wrongfully made assumptions.
(I didn't put this in the "bug reporting" or "feature requests" because (a) it might be known already, (b) not sure if it's a feature or just well hidden.)