Date: Sat, 26 Feb 2005 14:23:27 +0000 From: "Wojciech A. Koszek" <dunstan@freebsd.czest.pl> To: freebsd-hackers@freebsd.org Subject: Re: [PATCH] Dangerous jail()<->ioctl interactions. Message-ID: <20050226142327.GA92852@freebsd.czest.pl> In-Reply-To: <20050223170317.GA73338@frontfree.net> References: <20050221221656.GA64212@freebsd.czest.pl> <20050223170317.GA73338@frontfree.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 24, 2005 at 01:03:17AM +0800, Xin LI wrote: > On Mon, Feb 21, 2005 at 10:16:56PM +0000, Wojciech A. Koszek wrote: > > Hello hackers, > > I would like to let you know I've been doing [partial] audit of ioctl() [..] > > connections. > Default devfs configuration for a jail is not to mount it. Additionally, the > default devfs ruleset hides everything but a limited set of pseudo devices that > should be commen for applications to consume. Therefore, I'd rather say that > it's a configuration mistake of the user (^_^) > > Do you imply that there are other devices that enforce check against whether they > are ioctl'ed in jail? I agree these files should not appear inside jailed environment. I've just pointed devices, which are not secured by underlying code (I mean just like ioctl()ing interface files, which are secured with general ioctl() handler making suser() test). Cheers, -- * Wojciech A. Koszek && dunstan@FreeBSD.czest.pl
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050226142327.GA92852>