From owner-freebsd-questions@FreeBSD.ORG  Sat Nov 15 05:19:45 2014
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id A06AB300
 for <freebsd-questions@freebsd.org>; Sat, 15 Nov 2014 05:19:45 +0000 (UTC)
Received: from mail.indylix.nl (mail.indylix.nl [31.220.44.23])
 by mx1.freebsd.org (Postfix) with ESMTP id 68DB8844
 for <freebsd-questions@freebsd.org>; Sat, 15 Nov 2014 05:19:44 +0000 (UTC)
Message-ID: <5466E135.80304@indylix.nl>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=indylix.nl;
 s=o26EqTc7; t=1416028469;
 bh=LNmR07RnZhQXv3xW7OcXmkYdAdnPnKfc29q/U193uBQ=;
 h=Date:From:To:Subject;
 b=rg1lS4hZ32iPj6dTBoDMvKOXXGSp8tEQk2D2q5EGbAak+GVit3pgybVFtwIIxCAza
 Ah/cqwFRsgR/L7eIn0RWzosQHaTqaj51KKTugHcJRMRnirS6nPL/XiXxM2gByeVPqf
 H7iKpN6kQSOLptjhEgAA+ksTRFoMRaaBisWB6yhmvGMkUeXrc7fajB0K43qC19xU3B
 jjyMlBOO5CO3M5Mvo8M6JM/Acw797njvp9rWvlUms5mWFfnYyx/n16sFHPH+yk2Yt4
 CiRgyMyEPAMFgQeg1Ome/dRVnUqz9Si2XWmOxEjZX9wUFwkPFK/s/LrBAbc6TGCoq9
 E6NNJKjvoG7JQ==
Date: Sat, 15 Nov 2014 06:14:29 +0100
From: Robert Sevat <robert@indylix.nl>
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Subject: How much of freebsd can be made read-only in a jail
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Nov 2014 05:19:45 -0000

Hey all,

I've started using Ansible to make my life easier while managing a lot
of jails. I've used ezjail up until now, but if I am using automation to
manage them anyway, I might as well let Ansible setup the jails in an
even more restrictive way. I am aware of the existence of bsdploy, but
that uses ezjail and I'm aiming for an even more locked down system.

goal:
-make it impossible to install programs from inside the jail, only
install them from outside the jail with pkg -j
-make it impossible to edit any configuration files from inside the jail
since that can be done from the host.

So my question is, how much can be made read-only?

And what needs to be kept writable at a minimum for this to work?
/tmp
/var/log (configure syslog server so logs don't need to be stored locally?)
/var/tmp?
/var/db?

Anything I'm missing or other directories that should be writable? It
will of course depend per application, but I only run one service per
jail. So application specific exceptions will be made while configuring
the jail in the ansible playbook.

Maybe I'm overlooking something and this is a bad idea because $reason?
Any other advice / tips?

Thank you for your time!

Kind Regards,
Robert Sevat