From owner-svn-src-all@FreeBSD.ORG Fri Jan 31 12:34:56 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 55C6893F; Fri, 31 Jan 2014 12:34:56 +0000 (UTC) Received: from cyrus.watson.org (cyrus.watson.org [198.74.231.69]) by mx1.freebsd.org (Postfix) with ESMTP id 2CA521AFD; Fri, 31 Jan 2014 12:34:56 +0000 (UTC) Received: from fledge.watson.org (fledge.watson.org [198.74.231.63]) by cyrus.watson.org (Postfix) with ESMTPS id 6038E46B1A; Fri, 31 Jan 2014 07:34:48 -0500 (EST) Date: Fri, 31 Jan 2014 12:34:48 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Alexander Leidinger Subject: Re: svn commit: r261266 - in head: sys/dev/drm sys/kern sys/sys usr.sbin/jail In-Reply-To: <20140129222210.0000711f@unknown> Message-ID: References: <201401291341.s0TDfDcB068211@svn.freebsd.org> <20140129134344.GW66160@FreeBSD.org> <52E906CD.9050202@freebsd.org> <20140129222210.0000711f@unknown> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, Gleb Smirnoff , src-committers@freebsd.org, James Gritton X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jan 2014 12:34:56 -0000 On Wed, 29 Jan 2014, Alexander Leidinger wrote: >> It does. I included a warning in jail.8 that this will pretty much undo >> jail security. There are still reasons some may want to do this, but it's >> definitely not for everyone or even most people. > > It only "unjails" (= basically the same security level as the jail-host with > the added benefit of the flexibility of a jail like easy moving from one > system to another) the jail which has this flag set. All other jails without > the flag can not "escape" to the host. > > I also have to add that just setting this flag does not give access to the > host, you also have to configure a non-default devfs rule for this jail (to > have the devices appear in the jail). This is not correct: devices do not need to be delegated in devfs for PRIV_IO to allow bypass of the Jail security model, due to sysarch() and the Linux-emulated equivalent, which turn out direct I/O access from a user process without use of a device node. Frankly, I'd like to see this backed out and not reintroduced. If it must be retained, then it needs a much more clear warning that enabling this feature disables Jail's security model. Don't use the word 'obviate', instead explicitly state that root within the jail can escape the jail. Robert