When pointing users at mount_devfs to populate the /dev of a jail,

tell them that they also need to use devfs rules to prevent
inappropriate devices from appearing in the jail; add an Xref.  In
earlier versions of this man page, the user was instructed to use
sh MAKEDEV jail, which only created a minimal set of device nodes.

1 files changed, 10 insertions, 0 deletions

diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index 5317e05..74299d3 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -88,6 +88,15 @@ cd $D
 ln -sf dev/null kernel
 .Ed
 .Pp
+NOTE: It is important that only appropriate device nodes in devfs be
+exposed to a jail; access to disk devices in the jail may permit processes
+in the jail to bypass the jail sandboxing by modifying files outside of
+the jail.
+See
+.Xr devfs 8
+for information on how to use devfs rules to limit access to entries
+in the per-jail devfs.
+.Pp
 In many cases this example would put far more stuff in the jail than is needed.
 In the other extreme case a jail might contain only one single file:
 the executable to be run in the jail.
@@ -402,6 +411,7 @@ by setting this MIB entry to 1.
 .Xr procfs 5 ,
 .Xr rc.conf 5 ,
 .Xr sysctl.conf 5 ,
+.Xr devfs 8 ,
 .Xr halt 8 ,
 .Xr inetd 8 ,
 .Xr jexec 8 ,