Page MenuHomeFreeBSD

devfs.rules: unhide pf in vnet jails
ClosedPublic

Authored by kp on Wed, Sep 23, 7:14 PM.

Details

Reviewers
bz
Group Reviewers
network
Commits
rS366461: devfs.rules: unhide pf in vnet jails
Summary

/dev/pf is usable in vnet jails, so don't hide the node there.

We shouldn't expose /dev/pf in regular jails, as that gives them control
over the host (or parent vnet jail) firewall.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

kp requested review of this revision.Wed, Sep 23, 7:14 PM
kp created this revision.

Did we ever fix this one?

https://www.openbsd.org/errata48.html
005: SECURITY FIX: December 17, 2010 All architectures
Insufficent initialization of the pf rule structure in the ioctl handler may allow userland to modify kernel memory. By default root privileges are needed to add or modify pf rules.

https://ftp.openbsd.org/pub/OpenBSD/patches/4.8/common/005_pf.patch

In D26537#590825, @bz wrote:

Did we ever fix this one?

https://www.openbsd.org/errata48.html
005: SECURITY FIX: December 17, 2010 All architectures
Insufficent initialization of the pf rule structure in the ioctl handler may allow userland to modify kernel memory. By default root privileges are needed to add or modify pf rules.

https://ftp.openbsd.org/pub/OpenBSD/patches/4.8/common/005_pf.patch

I believe you did: https://svnweb.freebsd.org/base?view=revision&revision=302117

In D26537#591051, @kp wrote:
In D26537#590825, @bz wrote:

Did we ever fix this one?

https://www.openbsd.org/errata48.html
005: SECURITY FIX: December 17, 2010 All architectures
Insufficent initialization of the pf rule structure in the ioctl handler may allow userland to modify kernel memory. By default root privileges are needed to add or modify pf rules.

https://ftp.openbsd.org/pub/OpenBSD/patches/4.8/common/005_pf.patch

I believe you did: https://svnweb.freebsd.org/base?view=revision&revision=302117

Oh wow, and not even I could remember that ... Good to know I can finally forget about it for real ;-)

bz added a subscriber: jamie.

We'll probably want to add more of these in the future for vnets, so happy we start to lay the grounds.
Will you work on jail/jail.conf to also pick the right set for devfs depending on whether the vnet option is given? If not you should given @jamie a ping6.

This revision is now accepted and ready to land.Thu, Sep 24, 11:42 AM
This revision was automatically updated to reflect the committed changes.
In D26537#591054, @bz wrote:

We'll probably want to add more of these in the future for vnets, so happy we start to lay the grounds.
Will you work on jail/jail.conf to also pick the right set for devfs depending on whether the vnet option is given? If not you should given @jamie a ping6.

jail (and ezjail) already make it possible to set the desired devise rules, so in that respect it's already done.
jail defaults to devfsrules_jail (i.e. 4). We could potentially teach it to automatically use 5 for vnet jails, but I'm a little lost in how jail works myself.