From owner-freebsd-stable@FreeBSD.ORG Tue Feb 21 11:51:47 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 223ED16A420 for ; Tue, 21 Feb 2006 11:51:47 +0000 (GMT) (envelope-from igorr@speechpro.com) Received: from speechpro.ru (speech-tech-2.ip.PeterStar.net [81.3.190.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC62F43D58 for ; Tue, 21 Feb 2006 11:51:45 +0000 (GMT) (envelope-from igorr@speechpro.com) Received: from [192.168.2.26] (helo=sysadm.stc) by s1.stc with esmtp (Exim 4.53 (FreeBSD)) id 1FBW3U-000517-7a for freebsd-stable@freebsd.org; Tue, 21 Feb 2006 14:51:44 +0300 Received: from localhost.stc ([127.0.0.1] helo=sysadm.stc) by sysadm.stc with esmtp (Exim 4.54 (FreeBSD)) id 1FBW3P-0001Pa-MK for freebsd-stable@freebsd.org; Tue, 21 Feb 2006 14:51:40 +0300 Received: (from igorr@localhost) by sysadm.stc (8.13.4/8.13.3/Submit) id k1LBpcr1005429 for freebsd-stable@freebsd.org; Tue, 21 Feb 2006 14:51:38 +0300 (MSK) (envelope-from igorr) Date: Tue, 21 Feb 2006 14:51:36 +0300 From: Igor Robul To: freebsd-stable@freebsd.org Message-ID: <20060221115136.GC5402@sysadm.stc> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.11 X-Archived: Yes Subject: Re: Jails in 6.0 and devfs woes X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2006 11:51:47 -0000 On Tue, Feb 21, 2006 at 08:10:31PM +1000, Andrew Hacking wrote: > I am trying to setp a jail in RELENG_6, and cannot apply the jail > ruleset (ruleset 4) to the jail devfs mount point. The system also > hangs if I try to apply the rules individually. > > I raised PR/93423 for this issue. See > http://www.freebsd.org/cgi/query-pr.cgi?pr=93423 for details > > I am wondering if anyone else has had any success securing their jails > (ie removing device nodes such as those that provide raw access to > disks) ? Jails and devfs rules work fine for me: %uname -a FreeBSD s2.stc 6.0-STABLE FreeBSD 6.0-STABLE #0: Fri Nov 11 04:03:19 MSK 2005 igorr@s2.stc:/usr/build/usr/src/sys/S2 i386 %jls JID IP Address Hostname Path 3 192.168.2.52 samba-pdc.stc /home/jail/samba 2 192.168.2.51 mail2.stc /home/jail/mail 1 192.168.2.50 ldap.stc /home/jail/ldap %mount ... /dev/mirror/home on /home (ufs, local, soft-updates) devfs on /home/jail/ldap/dev (devfs, local) devfs on /home/jail/mail/dev (devfs, local) devfs on /home/jail/samba/dev (devfs, local) %ls /home/jail/samba/dev/ fd null ptyp1 stderr stdout ttyp1 zero log ptyp0 random stdin ttyp0 urandom %grep devfs /etc/rc.conf jail_mail_devfs_enable="YES" jail_samba_devfs_enable="YES" jail_ldap_devfs_enable="YES"