From owner-freebsd-hackers@FreeBSD.ORG  Sat Feb 26 14:17:41 2005
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5BB4216A4CE
	for <freebsd-hackers@freebsd.org>;
	Sat, 26 Feb 2005 14:17:41 +0000 (GMT)
Received: from freebsd.czest.pl (silver.iplus.pl [80.48.250.4])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7601A43D54
	for <freebsd-hackers@freebsd.org>;
	Sat, 26 Feb 2005 14:17:40 +0000 (GMT)
	(envelope-from dunstan@freebsd.czest.pl)
Received: from freebsd.czest.pl (freebsd.czest.pl [80.48.250.4])
	by freebsd.czest.pl (8.12.10/8.12.9) with ESMTP id j1QENS9r092904
	for <freebsd-hackers@freebsd.org>; Sat, 26 Feb 2005 14:23:28 GMT
	(envelope-from dunstan@freebsd.czest.pl)
Received: (from dunstan@localhost)
	by freebsd.czest.pl (8.12.10/8.12.9/Submit) id j1QENSjY092903
	for freebsd-hackers@freebsd.org; Sat, 26 Feb 2005 14:23:28 GMT
	(envelope-from dunstan)
Date: Sat, 26 Feb 2005 14:23:27 +0000
From: "Wojciech A. Koszek" <dunstan@freebsd.czest.pl>
To: freebsd-hackers@freebsd.org
Message-ID: <20050226142327.GA92852@freebsd.czest.pl>
References: <20050221221656.GA64212@freebsd.czest.pl>
	<20050223170317.GA73338@frontfree.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050223170317.GA73338@frontfree.net>
User-Agent: Mutt/1.4.2.1i
Subject: Re: [PATCH] Dangerous jail()<->ioctl interactions.
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Feb 2005 14:17:41 -0000

On Thu, Feb 24, 2005 at 01:03:17AM +0800, Xin LI wrote:
> On Mon, Feb 21, 2005 at 10:16:56PM +0000, Wojciech A. Koszek wrote:
> > Hello hackers,
> > I would like to let you know I've been doing [partial] audit of ioctl()
[..]
> > connections.
> Default devfs configuration for a jail is not to mount it.  Additionally, the
> default devfs ruleset hides everything but a limited set of pseudo devices that
> should be commen for applications to consume.  Therefore, I'd rather say that
> it's a configuration mistake of the user (^_^)
> 
> Do you imply that there are other devices that enforce check against whether they
> are ioctl'ed in jail?

I agree these files should not appear inside jailed environment. I've just
pointed devices, which are not secured by underlying code (I mean just like
ioctl()ing interface files, which are secured with general ioctl() handler
making suser() test).

Cheers,
-- 
* Wojciech A. Koszek && dunstan@FreeBSD.czest.pl