On Mon, Feb 21, 2005 at 10:16:56PM +0000, Wojciech A. Koszek wrote: > Hello hackers, > I would like to let you know I've been doing [partial] audit of ioctl() > code. There are some places, which may interest you. These are: > > sys/cam/cam_xpt.c > sys/contrib/ipfilter/netinet/ip_fil.c > sys/contrib/pf/net/pf_ioctl.c > sys/dev/ata/ata-all.c > sys/dev/md/md.c > sys/geom/geom_ctl.c > > Those files contain ioctl()s, which let us to interact between jailed > processes > and each of these subsystems. Although files like /dev/mdctl should not > appear in /dev with normal DEVFS rulesets, I think it would be better if > FreeBSD had > those ioctl() disabled within jail()ed environment. There is probably one > reason for keeping ipf/pf, since someone may want fetch information about > NATed > connections.
These devices should all not be exposed to the jailed environment, in my opinion. Since this can be done with devfs's rules, so I think this is not a bug... Default devfs configuration for a jail is not to mount it. Additionally, the default devfs ruleset hides everything but a limited set of pseudo devices that should be commen for applications to consume. Therefore, I'd rather say that it's a configuration mistake of the user (^_^) Do you imply that there are other devices that enforce check against whether they are ioctl'ed in jail? Cheers, -- Xin LI <delphij frontfree net> http://www.delphij.net/ See complete headers for GPG key and other information.
pgpUfBhreOcfn.pgp
Description: PGP signature
