FreeBSD 10.0-RELEASE-p9
In /etc/jail.conf you can set
A FreeBSD security advisory https://www.freebsd.org/security/advisories/FreeBSD-SA-14:07.devfs.asc for devfs on 4-30-2014
Questions I'm uncertain of:
1) Does mount.devfs have to be set explicity in /etc/jail.conf?
2) In the workaround it says to set devfs_load_rulesets="YES" in /etc/rc.conf. If the patch is applied as noted in the solution, is it explicitly required to set this in /etc/rc.conf?
My /etc/jail.conf does not have mount.devfs and my /etc/rc.conf does not have devs_load_rulesets set; in my jails I have:
3) Is this what a Jail would see by default?
In /etc/jail.conf you can set
Code:
mount.devfs;
A FreeBSD security advisory https://www.freebsd.org/security/advisories/FreeBSD-SA-14:07.devfs.asc for devfs on 4-30-2014
II. Problem Description
The default devfs rulesets are not loaded on boot, even when jails are used.
Device nodes will be created in the jail with their normal default access
permissions, while most of them should be hidden and inaccessible.
III. Impact
Jailed processes can get access to restricted resources on the host system.
For jailed processes running with superuser privileges this implies access
to all devices on the system. This level of access could lead to information
leakage and privilege escalation.
IV. Workaround
Systems that do not run jails are not affected.
The system administrator can do the following to load the default ruleset:
/etc/rc.d/devfs onestart
Then apply the default ruleset for jails on a devfs mount using:
devfs -m ${devfs_mountpoint} rule -s 4 applyset
Or, alternatively, the following command will apply the ruleset over all devfs
mountpoints except the host one:
mount -t devfs | grep -v '^devfs on /dev ' | awk '{print $3;}' | \
xargs -n 1 -J % devfs -m % rule -s 4 applyset
After this, the system administrator should add the following configuration
to /etc/rc.conf to make it permanent, so the above operations do not have
to be done each time the host system reboots.
devfs_load_rulesets="YES"
V. Solution
3) To update your vulnerable system via a binary patch:
Questions I'm uncertain of:
1) Does mount.devfs have to be set explicity in /etc/jail.conf?
2) In the workaround it says to set devfs_load_rulesets="YES" in /etc/rc.conf. If the patch is applied as noted in the solution, is it explicitly required to set this in /etc/rc.conf?
My /etc/jail.conf does not have mount.devfs and my /etc/rc.conf does not have devs_load_rulesets set; in my jails I have:
Code:
lrwxr-xr-x 1 root wheel 12 Sep 12 04:35 log -> /var/run/log
-rw-r--r-- 1 root wheel 0 Sep 18 01:52 null
-rw-r--r-- 1 root wheel 0 Sep 17 03:01 stderr