When pointing users at mount_devfs to populate the /dev of a jail,
tell them that they also need to use devfs rules to prevent inappropriate devices from appearing in the jail; add an Xref. In earlier versions of this man page, the user was instructed to use sh MAKEDEV jail, which only created a minimal set of device nodes.
This commit is contained in:
rwatson
parent
c6daedee3d
commit
d47074eb37
@ -88,6 +88,15 @@ cd $D
|
||||
ln -sf dev/null kernel
|
||||
.Ed
|
||||
.Pp
|
||||
NOTE: It is important that only appropriate device nodes in devfs be
|
||||
exposed to a jail; access to disk devices in the jail may permit processes
|
||||
in the jail to bypass the jail sandboxing by modifying files outside of
|
||||
the jail.
|
||||
See
|
||||
.Xr devfs 8
|
||||
for information on how to use devfs rules to limit access to entries
|
||||
in the per-jail devfs.
|
||||
.Pp
|
||||
In many cases this example would put far more stuff in the jail than is needed.
|
||||
In the other extreme case a jail might contain only one single file:
|
||||
the executable to be run in the jail.
|
||||
@ -402,6 +411,7 @@ by setting this MIB entry to 1.
|
||||
.Xr procfs 5 ,
|
||||
.Xr rc.conf 5 ,
|
||||
.Xr sysctl.conf 5 ,
|
||||
.Xr devfs 8 ,
|
||||
.Xr halt 8 ,
|
||||
.Xr inetd 8 ,
|
||||
.Xr jexec 8 ,
|
||||
|
||||
Loading…
Reference in New Issue
Block a user