Re: [PATCH] jail NG schript patch for mounting devfs andprocfsautomatically
On 14.08.2003 15:36, Scot W. Hetzel wrote: I just noticed a problem with periodic scripts inside a jail. I'm getting: Local system status: tee: /dev/stderr: Operation not supported Mail in local queue: tee: /dev/stderr: Operation not supported Mail in submit queue: tee: /dev/stderr: Operation not supported in the periodic daily, weekly, monthly and security reports. But if I mount the fdescfs on the jail, then these errors go away. So we need to add the following to the new jail script jail_start() { : eval jail_devfs=\\$jail_${_jail}_devfs\ [ -z ${jail_devfs} ] jail_devfs=NO: eval jail_fdescfs=\\$jail_${_jail}_fdescfs\ [ -z ${jail_fdescfs} ] jail_fdescfs=NO : if checkyesno jail_devfs ; then mount -t devfs dev ${jail_devdir} if checkyesno jail_fdescfs ; then mount -t fdescfs fdesc ${jail_devdir}/fd fi : fi : } jail_stop() { : eval jail_devfs=\\$jail_${_jail}_devfs\ [ -z ${jail_devfs} ] jail_devfs=NO: eval jail_fdescfs=\\$jail_${_jail}_fdescfs\ [ -z ${jail_fdescfs} ] jail_fdescfs=NO : if checkyesno jail_devfs ; then if [ -d ${jail_devdir} ] ; then if checkyesno jail_fdescfs; then umount -f ${jail_devdir}/fd /dev/null 21 fi umount -f ${jail_devdir} /dev/null 21 fi fi : } The only decsion we need to make is wheter to always mount the fdescfs when devfs is mounted on the jail, or have a variable to enable mounting of the fdescfs (jail_*_fdescfs). Scot I don't run periodics in jails, because they are not allowed to mail out :-) But I wouldn't really care having fdescfs mounted every time as security problem, so I would decide to mount it ever (or defaultly). If someone cares, addition of jail_example_mount_fdescfs is recommented. I add a CC to security@, because of there may be one or other who has an important comment. Best, Jens ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [PATCH] jail NG schript patch for mounting devfs andprocfsautomatically
I just noticed a problem with periodic scripts inside a jail. I'm getting: Local system status: tee: /dev/stderr: Operation not supported Mail in local queue: tee: /dev/stderr: Operation not supported Mail in submit queue: tee: /dev/stderr: Operation not supported in the periodic daily, weekly, monthly and security reports. But if I mount the fdescfs on the jail, then these errors go away. So we need to add the following to the new jail script jail_start() { : eval jail_devfs=\\$jail_${_jail}_devfs\ [ -z ${jail_devfs} ] jail_devfs=NO: eval jail_fdescfs=\\$jail_${_jail}_fdescfs\ [ -z ${jail_fdescfs} ] jail_fdescfs=NO : if checkyesno jail_devfs ; then mount -t devfs dev ${jail_devdir} if checkyesno jail_fdescfs ; then mount -t fdescfs fdesc ${jail_devdir}/fd fi : fi : } jail_stop() { : eval jail_devfs=\\$jail_${_jail}_devfs\ [ -z ${jail_devfs} ] jail_devfs=NO: eval jail_fdescfs=\\$jail_${_jail}_fdescfs\ [ -z ${jail_fdescfs} ] jail_fdescfs=NO : if checkyesno jail_devfs ; then if [ -d ${jail_devdir} ] ; then if checkyesno jail_fdescfs; then umount -f ${jail_devdir}/fd /dev/null 21 fi umount -f ${jail_devdir} /dev/null 21 fi fi : } The only decsion we need to make is wheter to always mount the fdescfs when devfs is mounted on the jail, or have a variable to enable mounting of the fdescfs (jail_*_fdescfs). Scot ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [PATCH] jail NG schript patch for mounting devfs andprocfsautomatically
From: Mike Makonnen [EMAIL PROTECTED] On Tue, Jul 29, 2003 at 07:08:38PM +0200, Jens Rehsack wrote: Someone, and unfortunately I appear to have lost track of who, had some tweaks to the rcNG scripts to set up some reasonable devfs rules for a jail, and apply them to the devfs mounted in a jail. Otherwise, you risk exposing undesired device nodes to the virtual environment. I suspect a search of the -current archives will turn up who, but I think a necessary part of a solution here will be to make sure jails are set up with the right devfs contents. Sorry, overseen. Sct W. Hetzel was the submitter, but it never becomes committed. If could be be so kind, please :-) (of course, not without prove it first) Yeah, I'll take care of this. I had asked scott to mail me his final patch so I could commit it, but I never heard back from him. I'll dig out the revisions from my mail archives and combine the two. I thought I had submitted my final patch, the only thing left was what number to use for the default jail devfs rule. We also need a way to load user defined devfs rules. I'll need to re-cvs diff my current devfs and jail scripts, before I'll be able to send them again. Scot ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [PATCH] jail NG schript patch for mounting devfs andprocfsautomatically
Below is my current patch to devfs and jail to support the mounting of devfs and procfs in jails. This patch also allows a jail to specify what devfs rule to apply to the jail. As well as defining a default jail devfs rule in /etc/rc.d/devfs. Scot Index: etc/defaults/rc.conf === RCS file: /home/ncvs/src/etc/defaults/rc.conf,v retrieving revision 1.182 diff -u -r1.182 rc.conf --- etc/defaults/rc.conf28 Jul 2003 13:09:00 - 1.182 +++ etc/defaults/rc.conf29 Jul 2003 22:06:08 - @@ -426,12 +426,35 @@ harvest_ethernet=YES # Entropy device harvests ethernet randomness harvest_p_to_p=YES # Entropy device harvests point-to-point randomness dmesg_enable=YES # Save dmesg(8) to /var/run/dmesg.boot -jail_enable=NO # Set to NO to disable starting of any jails -jail_list= # Space separated list of names of jails -jail_set_hostname_allow=YES # Allow root user in a jail to change its hostname -jail_socket_unixiproute_only=YES # Route only TCP/IP within a jail -jail_sysvipc_allow=NO # Allow SystemV IPC use from within a jail watchdogd_enable=NO # Start the software watchdog daemon + +## +### Jail Configuration ### +## +devfs_jail_ruleset_enable=NO # Enable Standard Jail devfs ruleset in rc.d/devfs +devfs_jail_ruleset_num=666 # Standard Jail ruleset number + # (change if it conflicts with your rulesets) + +jail_enable=NO # Set to NO to disable starting of any jails +jail_list= # Space separated list of names of jails +jail_set_hostname_allow=YES # Allow root user in a jail to change its hostname +jail_socket_unixiproute_only=YES # Route only TCP/IP within a jail +jail_sysvipc_allow=NO# Allow SystemV IPC use from within a jail +jail_default_ruleset=666 # Default jail devfs ruleset to apply +jail_stop_jailer=NO # Only stop jailer. Requires jail_*_exec be set + # to use sysutils/jailer port to start the jail. + +# create an entry for each jail named in jail_list, with these variables +# +#jail_example_rootdir=/usr/jail/default # Jails root directory +#jail_example_hostname=default.domain.com# Jails hostname +#jail_example_ip=192.168.0.10# Jails IP number +#jail_example_exec=/bin/sh /etc/rc # command to execute in jail +#jail_example_devfs=NO # mount devfs in jail +#jail_example_devfs_ruleset=666 # devfs ruleset to apply to jail +#jail_example_procfs=NO # mount procfs in jail +# +# NOTE: replace 'example' with the jail's name from jail_list ## ### Define source_rc_confs, the mechanism used by /etc/rc.* ## Index: etc/rc.d/devfs === RCS file: /home/ncvs/src/etc/rc.d/devfs,v retrieving revision 1.5 diff -u -r1.5 devfs --- etc/rc.d/devfs 6 May 2003 01:10:33 - 1.5 +++ etc/rc.d/devfs 6 May 2003 16:24:39 - @@ -39,3 +39,21 @@ load_rc_config $name run_rc_command $1 + +# Standard Jail ruleset +if checkyesno devfs_jail_ruleset_enable ; then + /sbin/devfs rule -s ${devfs_jail_ruleset_num} delset + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 100 hide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 200 path ptyp* unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 300 path ttyp* unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 400 path null unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 500 path zero unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 600 path random unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 610 path urandom unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 700 path fd unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 800 path fd/* unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 810 path mdctl unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 900 path stdin unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 910 path stdout unhide + /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 920 path stderr unhide +fi Index: etc/rc.d/jail === RCS file: /home/ncvs/src/etc/rc.d/jail,v retrieving revision 1.4 diff -u -r1.4 jail --- etc/rc.d/jail 5 May 2003 15:38:41 - 1.4 +++ etc/rc.d/jail 21 Jun 2003 20:22:44 - @@ -6,7 +6,7 @@ # PROVIDE: jail # REQUIRE: LOGIN # BEFORE: securelevel -# KEYWORD: FreeBSD +#