When pointing users at mount_devfs to populate the /dev of a jail,
tell them that they also need to use devfs rules to prevent inappropriate devices from appearing in the jail; add an Xref. In earlier versions of this man page, the user was instructed to use sh MAKEDEV jail, which only created a minimal set of device nodes.
This commit is contained in:
rwatson
parent
c6daedee3d
commit
d47074eb37
@ -88,6 +88,15 @@ cd $D
|
|||||||
ln -sf dev/null kernel
|
ln -sf dev/null kernel
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
|
NOTE: It is important that only appropriate device nodes in devfs be
|
||||||
|
exposed to a jail; access to disk devices in the jail may permit processes
|
||||||
|
in the jail to bypass the jail sandboxing by modifying files outside of
|
||||||
|
the jail.
|
||||||
|
See
|
||||||
|
.Xr devfs 8
|
||||||
|
for information on how to use devfs rules to limit access to entries
|
||||||
|
in the per-jail devfs.
|
||||||
|
.Pp
|
||||||
In many cases this example would put far more stuff in the jail than is needed.
|
In many cases this example would put far more stuff in the jail than is needed.
|
||||||
In the other extreme case a jail might contain only one single file:
|
In the other extreme case a jail might contain only one single file:
|
||||||
the executable to be run in the jail.
|
the executable to be run in the jail.
|
||||||
@ -402,6 +411,7 @@ by setting this MIB entry to 1.
|
|||||||
.Xr procfs 5 ,
|
.Xr procfs 5 ,
|
||||||
.Xr rc.conf 5 ,
|
.Xr rc.conf 5 ,
|
||||||
.Xr sysctl.conf 5 ,
|
.Xr sysctl.conf 5 ,
|
||||||
|
.Xr devfs 8 ,
|
||||||
.Xr halt 8 ,
|
.Xr halt 8 ,
|
||||||
.Xr inetd 8 ,
|
.Xr inetd 8 ,
|
||||||
.Xr jexec 8 ,
|
.Xr jexec 8 ,
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user