From d82dae3ec9f6067efa22b62cd79a961a4e86e645 Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Thu, 26 Jun 2003 19:04:15 +0000 Subject: [PATCH] When pointing users at mount_devfs to populate the /dev of a jail, tell them that they also need to use devfs rules to prevent inappropriate devices from appearing in the jail; add an Xref. In earlier versions of this man page, the user was instructed to use sh MAKEDEV jail, which only created a minimal set of device nodes. --- usr.sbin/jail/jail.8 | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 5317e05ccfab..74299d399ddd 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -88,6 +88,15 @@ cd $D ln -sf dev/null kernel .Ed .Pp +NOTE: It is important that only appropriate device nodes in devfs be +exposed to a jail; access to disk devices in the jail may permit processes +in the jail to bypass the jail sandboxing by modifying files outside of +the jail. +See +.Xr devfs 8 +for information on how to use devfs rules to limit access to entries +in the per-jail devfs. +.Pp In many cases this example would put far more stuff in the jail than is needed. In the other extreme case a jail might contain only one single file: the executable to be run in the jail. @@ -402,6 +411,7 @@ by setting this MIB entry to 1. .Xr procfs 5 , .Xr rc.conf 5 , .Xr sysctl.conf 5 , +.Xr devfs 8 , .Xr halt 8 , .Xr inetd 8 , .Xr jexec 8 ,