summaryrefslogtreecommitdiffstats
path: root/usr.sbin/jail/jail.8
diff options
context:
space:
mode:
authorjamie <jamie@FreeBSD.org>2012-02-27 22:28:38 +0000
committerjamie <jamie@FreeBSD.org>2012-02-27 22:28:38 +0000
commitce34112a7dc2c5d7092d69bc27eac385caeae9cd (patch)
tree276f05b06c0f66b3c85c10158d862f3ac28fbc8d /usr.sbin/jail/jail.8
parenta85d762796e36a664734574599d8854c54db7479 (diff)
downloadFreeBSD-src-ce34112a7dc2c5d7092d69bc27eac385caeae9cd.zip
FreeBSD-src-ce34112a7dc2c5d7092d69bc27eac385caeae9cd.tar.gz
From r224286:
Document the potential for jail escape. From r224615: Always disable mount and unmount for jails with enforce_statfs==2. From r231267: A new jail(8) option "devfs_ruleset" defines the ruleset enforcement for mounting devfs inside jails. A value of -1 disables mounting devfs in jails, a value of zero means no restrictions. Nested jails can only have mounting devfs disabled or inherit parent's enforcement as jails are not allowed to view or manipulate devfs(8) rules. From r232059: To improve control over the use of mount(8) inside a jail(8), introduce a new jail parameter node with the following parameters: allow.mount.devfs: allow mounting the devfs filesystem inside a jail allow.mount.nullfs: allow mounting the nullfs filesystem inside a jail From r232186: allow.mount.zfs: allow mounting the zfs filesystem inside a jail
Diffstat (limited to 'usr.sbin/jail/jail.8')
-rw-r--r--usr.sbin/jail/jail.860
1 files changed, 57 insertions, 3 deletions
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index a1c3141..9214543 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -25,7 +25,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd October 20, 2010
+.Dd February 26, 2012
.Dt JAIL 8
.Os
.Sh NAME
@@ -396,6 +396,18 @@ A jail never has a lower securelevel than the default system, but by
setting this parameter it may have a higher one.
If the system securelevel is changed, any jail securelevels will be at
least as secure.
+.It Va devfs_ruleset
+The number of the devfs ruleset that is enforced for mounting devfs in
+this jail. A value of zero (default) means no ruleset is enforced. Descendant
+jails inherit the parent jail's devfs ruleset enforcement. Mounting devfs
+inside a jail is possible only if the
+.Va allow.mount
+and
+.Va allow.mount.devfs
+permissions are effective and
+.Va enforce_statfs
+is set to a value lower than 2.
+Devfs rules and rulesets cannot be viewed or modified from inside a jail.
.It Va children.max
The number of child jails allowed to be created by this jail (or by
other jails under this jail).
@@ -491,6 +503,39 @@ The
.Xr lsvfs 1
command can be used to find file system types available for mount from
within a jail.
+This permission is effective only if
+.Va enforce_statfs
+is set to a value lower than 2.
+.It Va allow.mount.devfs
+privileged users inside the jail will be able to mount and unmount the
+devfs file system.
+This permission is effective only together with
+.Va allow.mount
+and if
+.Va enforce_statfs
+is set to a value lower than 2. Please consider restricting the devfs ruleset
+with the
+.Va devfs_ruleset
+option.
+.It Va allow.mount.nullfs
+privileged users inside the jail will be able to mount and unmount the
+nullfs file system.
+This permission is effective only together with
+.Va allow.mount
+and if
+.Va enforce_statfs
+is set to a value lower than 2.
+.It Va allow.mount.zfs
+privileged users inside the jail will be able to mount and unmount the
+ZFS file system.
+This permission is effective only together with
+.Va allow.mount
+and if
+.Va enforce_statfs
+is set to a value lower than 2. See
+.Xr zfs 8
+for information on how to configure the ZFS filesystem to operate from
+within a jail.
.It Va allow.quotas
The prison root may administer quotas on the jail's filesystem(s).
This includes filesystems that the jail may share with other jails or
@@ -997,9 +1042,11 @@ It is not possible to
or
.Xr umount 8
any file system inside a jail unless the file system is marked
-jail-friendly and the jail's
+jail-friendly, the jail's
.Va allow.mount
-parameter is set.
+parameter is set and the jail's
+.Va enforce_statfs
+parameter is lower than 2.
.Pp
Multiple jails sharing the same file system can influence each other.
For example a user in one jail can fill the file system also
@@ -1154,3 +1201,10 @@ Currently, the simplest answer is to minimize services
offered on the host, possibly limiting it to services offered from
.Xr inetd 8
which is easily configurable.
+.Sh NOTES
+Great care should be taken when managing directories visible within the jail.
+For example, if a jailed process has its current working directory set to a
+directory that is moved out of the jail's chroot, then the process may gain
+access to the file space outside of the jail.
+It is recommended that directories always be copied, rather than moved, out
+of a jail.
OpenPOWER on IntegriCloud