From owner-svn-src-projects@FreeBSD.ORG Mon Feb 27 22:28:39 2012 Return-Path: Delivered-To: svn-src-projects@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 26FA4106564A; Mon, 27 Feb 2012 22:28:39 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 1247C8FC0C; Mon, 27 Feb 2012 22:28:39 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q1RMScYJ039652; Mon, 27 Feb 2012 22:28:38 GMT (envelope-from jamie@svn.freebsd.org) Received: (from jamie@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q1RMSc85039650; Mon, 27 Feb 2012 22:28:38 GMT (envelope-from jamie@svn.freebsd.org) Message-Id: <201202272228.q1RMSc85039650@svn.freebsd.org> From: Jamie Gritton Date: Mon, 27 Feb 2012 22:28:38 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r232241 - projects/jailconf/usr.sbin/jail X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Feb 2012 22:28:39 -0000 Author: jamie Date: Mon Feb 27 22:28:38 2012 New Revision: 232241 URL: http://svn.freebsd.org/changeset/base/232241 Log: From r224286: Document the potential for jail escape. From r224615: Always disable mount and unmount for jails with enforce_statfs==2. From r231267: A new jail(8) option "devfs_ruleset" defines the ruleset enforcement for mounting devfs inside jails. A value of -1 disables mounting devfs in jails, a value of zero means no restrictions. Nested jails can only have mounting devfs disabled or inherit parent's enforcement as jails are not allowed to view or manipulate devfs(8) rules. From r232059: To improve control over the use of mount(8) inside a jail(8), introduce a new jail parameter node with the following parameters: allow.mount.devfs: allow mounting the devfs filesystem inside a jail allow.mount.nullfs: allow mounting the nullfs filesystem inside a jail From r232186: allow.mount.zfs: allow mounting the zfs filesystem inside a jail Modified: projects/jailconf/usr.sbin/jail/jail.8 Modified: projects/jailconf/usr.sbin/jail/jail.8 ============================================================================== --- projects/jailconf/usr.sbin/jail/jail.8 Mon Feb 27 21:10:10 2012 (r232240) +++ projects/jailconf/usr.sbin/jail/jail.8 Mon Feb 27 22:28:38 2012 (r232241) @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd October 20, 2010 +.Dd February 26, 2012 .Dt JAIL 8 .Os .Sh NAME @@ -396,6 +396,18 @@ A jail never has a lower securelevel tha setting this parameter it may have a higher one. If the system securelevel is changed, any jail securelevels will be at least as secure. +.It Va devfs_ruleset +The number of the devfs ruleset that is enforced for mounting devfs in +this jail. A value of zero (default) means no ruleset is enforced. Descendant +jails inherit the parent jail's devfs ruleset enforcement. Mounting devfs +inside a jail is possible only if the +.Va allow.mount +and +.Va allow.mount.devfs +permissions are effective and +.Va enforce_statfs +is set to a value lower than 2. +Devfs rules and rulesets cannot be viewed or modified from inside a jail. .It Va children.max The number of child jails allowed to be created by this jail (or by other jails under this jail). @@ -491,6 +503,39 @@ The .Xr lsvfs 1 command can be used to find file system types available for mount from within a jail. +This permission is effective only if +.Va enforce_statfs +is set to a value lower than 2. +.It Va allow.mount.devfs +privileged users inside the jail will be able to mount and unmount the +devfs file system. +This permission is effective only together with +.Va allow.mount +and if +.Va enforce_statfs +is set to a value lower than 2. Please consider restricting the devfs ruleset +with the +.Va devfs_ruleset +option. +.It Va allow.mount.nullfs +privileged users inside the jail will be able to mount and unmount the +nullfs file system. +This permission is effective only together with +.Va allow.mount +and if +.Va enforce_statfs +is set to a value lower than 2. +.It Va allow.mount.zfs +privileged users inside the jail will be able to mount and unmount the +ZFS file system. +This permission is effective only together with +.Va allow.mount +and if +.Va enforce_statfs +is set to a value lower than 2. See +.Xr zfs 8 +for information on how to configure the ZFS filesystem to operate from +within a jail. .It Va allow.quotas The prison root may administer quotas on the jail's filesystem(s). This includes filesystems that the jail may share with other jails or @@ -997,9 +1042,11 @@ It is not possible to or .Xr umount 8 any file system inside a jail unless the file system is marked -jail-friendly and the jail's +jail-friendly, the jail's .Va allow.mount -parameter is set. +parameter is set and the jail's +.Va enforce_statfs +parameter is lower than 2. .Pp Multiple jails sharing the same file system can influence each other. For example a user in one jail can fill the file system also @@ -1154,3 +1201,10 @@ Currently, the simplest answer is to min offered on the host, possibly limiting it to services offered from .Xr inetd 8 which is easily configurable. +.Sh NOTES +Great care should be taken when managing directories visible within the jail. +For example, if a jailed process has its current working directory set to a +directory that is moved out of the jail's chroot, then the process may gain +access to the file space outside of the jail. +It is recommended that directories always be copied, rather than moved, out +of a jail.