Differential D26537

devfs.rules: unhide pf in vnet jails
ClosedPublic
Actions

Authored by kp on Sep 23 2020, 7:14 PM.

Details

Reviewers

Group Reviewers

network

Commits

rS366461: devfs.rules: unhide pf in vnet jails

Summary

/dev/pf is usable in vnet jails, so don't hide the node there.

We shouldn't expose /dev/pf in regular jails, as that gives them control
over the host (or parent vnet jail) firewall.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kp requested review of this revision.Sep 23 2020, 7:14 PM

kp created this revision.

Harbormaster completed remote builds in B33780: Diff 77451.Sep 23 2020, 7:14 PM

Did we ever fix this one?

https://www.openbsd.org/errata48.html
005: SECURITY FIX: December 17, 2010 All architectures
Insufficent initialization of the pf rule structure in the ioctl handler may allow userland to modify kernel memory. By default root privileges are needed to add or modify pf rules.

https://ftp.openbsd.org/pub/OpenBSD/patches/4.8/common/005_pf.patch

In D26537#590825, @bz wrote:

Did we ever fix this one?

https://www.openbsd.org/errata48.html
005: SECURITY FIX: December 17, 2010 All architectures
Insufficent initialization of the pf rule structure in the ioctl handler may allow userland to modify kernel memory. By default root privileges are needed to add or modify pf rules.

https://ftp.openbsd.org/pub/OpenBSD/patches/4.8/common/005_pf.patch

I believe you did: https://svnweb.freebsd.org/base?view=revision&revision=302117

In D26537#591051, @kp wrote:

In D26537#590825, @bz wrote:

Did we ever fix this one?

https://www.openbsd.org/errata48.html
005: SECURITY FIX: December 17, 2010 All architectures
Insufficent initialization of the pf rule structure in the ioctl handler may allow userland to modify kernel memory. By default root privileges are needed to add or modify pf rules.

https://ftp.openbsd.org/pub/OpenBSD/patches/4.8/common/005_pf.patch

I believe you did: https://svnweb.freebsd.org/base?view=revision&revision=302117

Oh wow, and not even I could remember that ... Good to know I can finally forget about it for real ;-)

We'll probably want to add more of these in the future for vnets, so happy we start to lay the grounds.
Will you work on jail/jail.conf to also pick the right set for devfs depending on whether the vnet option is given? If not you should given @jamie a ping6.

This revision is now accepted and ready to land.Sep 24 2020, 11:42 AM

Closed by commit rS366461: devfs.rules: unhide pf in vnet jails (authored by kp). · Explain WhyOct 5 2020, 7:27 PM

This revision was automatically updated to reflect the committed changes.

kp added a commit: rS366461: devfs.rules: unhide pf in vnet jails.

Herald added a subscriber: imp. · View Herald TranscriptOct 5 2020, 7:27 PM

In D26537#591054, @bz wrote:

We'll probably want to add more of these in the future for vnets, so happy we start to lay the grounds.
Will you work on jail/jail.conf to also pick the right set for devfs depending on whether the vnet option is given? If not you should given @jamie a ping6.

jail (and ezjail) already make it possible to set the desired devise rules, so in that respect it's already done.
jail defaults to devfsrules_jail (i.e. 4). We could potentially teach it to automatically use 5 for vnet jails, but I'm a little lost in how jail works myself.

zlei mentioned this in D32814: devfs.rules: Correctly unhide pf in vnet jails.Nov 3 2021, 10:02 AM

Revision Contents
Changeset List

Path

Size

head/

sbin/

devfs/

devfs.rules

4 lines

Diff 77911

View Options

head/sbin/devfs/devfs.rules

devfs.rules: unhide pf in vnet jailsClosedPublicActions