Re: [PATCH] jail NG schript patch for mounting devfs andprocfsautomatically
On 14.08.2003 15:36, Scot W. Hetzel wrote:
I just noticed a problem with periodic scripts inside a jail. I'm getting:
Local system status:
tee: /dev/stderr: Operation not supported
Mail in local queue:
tee: /dev/stderr: Operation not supported
Mail in submit queue:
tee: /dev/stderr: Operation not supported
in the periodic daily, weekly, monthly and security reports. But if I mount
the fdescfs on the jail, then these errors go away.
So we need to add the following to the new jail script
jail_start()
{
:
eval jail_devfs=\\$jail_${_jail}_devfs\
[ -z ${jail_devfs} ] jail_devfs=NO:
eval jail_fdescfs=\\$jail_${_jail}_fdescfs\
[ -z ${jail_fdescfs} ] jail_fdescfs=NO
:
if checkyesno jail_devfs ; then
mount -t devfs dev ${jail_devdir}
if checkyesno jail_fdescfs ; then
mount -t fdescfs fdesc ${jail_devdir}/fd
fi
:
fi
:
}
jail_stop()
{
:
eval jail_devfs=\\$jail_${_jail}_devfs\
[ -z ${jail_devfs} ] jail_devfs=NO:
eval jail_fdescfs=\\$jail_${_jail}_fdescfs\
[ -z ${jail_fdescfs} ] jail_fdescfs=NO
:
if checkyesno jail_devfs ; then
if [ -d ${jail_devdir} ] ; then
if checkyesno jail_fdescfs; then
umount -f ${jail_devdir}/fd /dev/null 21
fi
umount -f ${jail_devdir} /dev/null 21
fi
fi
:
}
The only decsion we need to make is wheter to always mount the fdescfs when
devfs is mounted on the jail, or have a variable to enable mounting of the
fdescfs (jail_*_fdescfs).
Scot
I don't run periodics in jails, because they are not allowed to mail
out :-)
But I wouldn't really care having fdescfs mounted every time as
security problem, so I would decide to mount it ever (or defaultly).
If someone cares, addition of jail_example_mount_fdescfs is
recommented.
I add a CC to security@, because of there may be one or other who
has an important comment.
Best,
Jens
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [PATCH] jail NG schript patch for mounting devfs andprocfsautomatically
I just noticed a problem with periodic scripts inside a jail. I'm getting:
Local system status:
tee: /dev/stderr: Operation not supported
Mail in local queue:
tee: /dev/stderr: Operation not supported
Mail in submit queue:
tee: /dev/stderr: Operation not supported
in the periodic daily, weekly, monthly and security reports. But if I mount
the fdescfs on the jail, then these errors go away.
So we need to add the following to the new jail script
jail_start()
{
:
eval jail_devfs=\\$jail_${_jail}_devfs\
[ -z ${jail_devfs} ] jail_devfs=NO:
eval jail_fdescfs=\\$jail_${_jail}_fdescfs\
[ -z ${jail_fdescfs} ] jail_fdescfs=NO
:
if checkyesno jail_devfs ; then
mount -t devfs dev ${jail_devdir}
if checkyesno jail_fdescfs ; then
mount -t fdescfs fdesc ${jail_devdir}/fd
fi
:
fi
:
}
jail_stop()
{
:
eval jail_devfs=\\$jail_${_jail}_devfs\
[ -z ${jail_devfs} ] jail_devfs=NO:
eval jail_fdescfs=\\$jail_${_jail}_fdescfs\
[ -z ${jail_fdescfs} ] jail_fdescfs=NO
:
if checkyesno jail_devfs ; then
if [ -d ${jail_devdir} ] ; then
if checkyesno jail_fdescfs; then
umount -f ${jail_devdir}/fd /dev/null 21
fi
umount -f ${jail_devdir} /dev/null 21
fi
fi
:
}
The only decsion we need to make is wheter to always mount the fdescfs when
devfs is mounted on the jail, or have a variable to enable mounting of the
fdescfs (jail_*_fdescfs).
Scot
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [PATCH] jail NG schript patch for mounting devfs andprocfsautomatically
From: Mike Makonnen [EMAIL PROTECTED] On Tue, Jul 29, 2003 at 07:08:38PM +0200, Jens Rehsack wrote: Someone, and unfortunately I appear to have lost track of who, had some tweaks to the rcNG scripts to set up some reasonable devfs rules for a jail, and apply them to the devfs mounted in a jail. Otherwise, you risk exposing undesired device nodes to the virtual environment. I suspect a search of the -current archives will turn up who, but I think a necessary part of a solution here will be to make sure jails are set up with the right devfs contents. Sorry, overseen. Sct W. Hetzel was the submitter, but it never becomes committed. If could be be so kind, please :-) (of course, not without prove it first) Yeah, I'll take care of this. I had asked scott to mail me his final patch so I could commit it, but I never heard back from him. I'll dig out the revisions from my mail archives and combine the two. I thought I had submitted my final patch, the only thing left was what number to use for the default jail devfs rule. We also need a way to load user defined devfs rules. I'll need to re-cvs diff my current devfs and jail scripts, before I'll be able to send them again. Scot ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [PATCH] jail NG schript patch for mounting devfs andprocfsautomatically
Below is my current patch to devfs and jail to support the mounting of devfs
and procfs in jails. This patch also allows a jail to specify what devfs
rule to apply to the jail. As well as defining a default jail devfs rule
in /etc/rc.d/devfs.
Scot
Index: etc/defaults/rc.conf
===
RCS file: /home/ncvs/src/etc/defaults/rc.conf,v
retrieving revision 1.182
diff -u -r1.182 rc.conf
--- etc/defaults/rc.conf28 Jul 2003 13:09:00 - 1.182
+++ etc/defaults/rc.conf29 Jul 2003 22:06:08 -
@@ -426,12 +426,35 @@
harvest_ethernet=YES # Entropy device harvests ethernet randomness
harvest_p_to_p=YES # Entropy device harvests point-to-point randomness
dmesg_enable=YES # Save dmesg(8) to /var/run/dmesg.boot
-jail_enable=NO # Set to NO to disable starting of any jails
-jail_list= # Space separated list of names of jails
-jail_set_hostname_allow=YES # Allow root user in a jail to change its hostname
-jail_socket_unixiproute_only=YES # Route only TCP/IP within a jail
-jail_sysvipc_allow=NO # Allow SystemV IPC use from within a jail
watchdogd_enable=NO # Start the software watchdog daemon
+
+##
+### Jail Configuration ###
+##
+devfs_jail_ruleset_enable=NO # Enable Standard Jail devfs ruleset in
rc.d/devfs
+devfs_jail_ruleset_num=666 # Standard Jail ruleset number
+ # (change if it conflicts with your rulesets)
+
+jail_enable=NO # Set to NO to disable starting of any jails
+jail_list= # Space separated list of names of jails
+jail_set_hostname_allow=YES # Allow root user in a jail to change its
hostname
+jail_socket_unixiproute_only=YES # Route only TCP/IP within a jail
+jail_sysvipc_allow=NO# Allow SystemV IPC use from within a
jail
+jail_default_ruleset=666 # Default jail devfs ruleset to apply
+jail_stop_jailer=NO # Only stop jailer. Requires jail_*_exec be set
+ # to use sysutils/jailer port to start the
jail.
+
+# create an entry for each jail named in jail_list, with these variables
+#
+#jail_example_rootdir=/usr/jail/default # Jails root directory
+#jail_example_hostname=default.domain.com# Jails hostname
+#jail_example_ip=192.168.0.10# Jails IP number
+#jail_example_exec=/bin/sh /etc/rc # command to execute in jail
+#jail_example_devfs=NO # mount devfs in jail
+#jail_example_devfs_ruleset=666 # devfs ruleset to apply to jail
+#jail_example_procfs=NO # mount procfs in jail
+#
+# NOTE: replace 'example' with the jail's name from jail_list
##
### Define source_rc_confs, the mechanism used by /etc/rc.* ##
Index: etc/rc.d/devfs
===
RCS file: /home/ncvs/src/etc/rc.d/devfs,v
retrieving revision 1.5
diff -u -r1.5 devfs
--- etc/rc.d/devfs 6 May 2003 01:10:33 - 1.5
+++ etc/rc.d/devfs 6 May 2003 16:24:39 -
@@ -39,3 +39,21 @@
load_rc_config $name
run_rc_command $1
+
+# Standard Jail ruleset
+if checkyesno devfs_jail_ruleset_enable ; then
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} delset
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 100 hide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 200 path ptyp* unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 300 path ttyp* unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 400 path null unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 500 path zero unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 600 path random unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 610 path urandom unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 700 path fd unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 800 path fd/* unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 810 path mdctl unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 900 path stdin unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 910 path stdout unhide
+ /sbin/devfs rule -s ${devfs_jail_ruleset_num} add 920 path stderr unhide
+fi
Index: etc/rc.d/jail
===
RCS file: /home/ncvs/src/etc/rc.d/jail,v
retrieving revision 1.4
diff -u -r1.4 jail
--- etc/rc.d/jail 5 May 2003 15:38:41 - 1.4
+++ etc/rc.d/jail 21 Jun 2003 20:22:44 -
@@ -6,7 +6,7 @@
# PROVIDE: jail
# REQUIRE: LOGIN
# BEFORE: securelevel
-# KEYWORD: FreeBSD
+#
