Page MenuHomeFreeBSD

devfs.rules: unhide pf in vnet jails
ClosedPublic

Authored by kp on Sep 23 2020, 7:14 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Oct 24, 2:56 AM
Unknown Object (File)
Sep 28 2024, 6:55 PM
Unknown Object (File)
Sep 15 2024, 3:03 PM
Unknown Object (File)
Sep 12 2024, 8:03 AM
Unknown Object (File)
Sep 12 2024, 8:03 AM
Unknown Object (File)
Sep 12 2024, 7:59 AM
Unknown Object (File)
Sep 12 2024, 7:46 AM
Unknown Object (File)
Sep 4 2024, 12:05 PM
Subscribers

Details

Reviewers
bz
Group Reviewers
network
Commits
rS366461: devfs.rules: unhide pf in vnet jails
Summary

/dev/pf is usable in vnet jails, so don't hide the node there.

We shouldn't expose /dev/pf in regular jails, as that gives them control
over the host (or parent vnet jail) firewall.

Diff Detail

Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 33780
Build 30998: arc lint + arc unit

Event Timeline

kp requested review of this revision.Sep 23 2020, 7:14 PM
kp created this revision.

Did we ever fix this one?

https://www.openbsd.org/errata48.html
005: SECURITY FIX: December 17, 2010 All architectures
Insufficent initialization of the pf rule structure in the ioctl handler may allow userland to modify kernel memory. By default root privileges are needed to add or modify pf rules.

https://ftp.openbsd.org/pub/OpenBSD/patches/4.8/common/005_pf.patch

In D26537#590825, @bz wrote:

Did we ever fix this one?

https://www.openbsd.org/errata48.html
005: SECURITY FIX: December 17, 2010 All architectures
Insufficent initialization of the pf rule structure in the ioctl handler may allow userland to modify kernel memory. By default root privileges are needed to add or modify pf rules.

https://ftp.openbsd.org/pub/OpenBSD/patches/4.8/common/005_pf.patch

I believe you did: https://svnweb.freebsd.org/base?view=revision&revision=302117

In D26537#591051, @kp wrote:
In D26537#590825, @bz wrote:

Did we ever fix this one?

https://www.openbsd.org/errata48.html
005: SECURITY FIX: December 17, 2010 All architectures
Insufficent initialization of the pf rule structure in the ioctl handler may allow userland to modify kernel memory. By default root privileges are needed to add or modify pf rules.

https://ftp.openbsd.org/pub/OpenBSD/patches/4.8/common/005_pf.patch

I believe you did: https://svnweb.freebsd.org/base?view=revision&revision=302117

Oh wow, and not even I could remember that ... Good to know I can finally forget about it for real ;-)

bz added a subscriber: jamie.

We'll probably want to add more of these in the future for vnets, so happy we start to lay the grounds.
Will you work on jail/jail.conf to also pick the right set for devfs depending on whether the vnet option is given? If not you should given @jamie a ping6.

This revision is now accepted and ready to land.Sep 24 2020, 11:42 AM
This revision was automatically updated to reflect the committed changes.
In D26537#591054, @bz wrote:

We'll probably want to add more of these in the future for vnets, so happy we start to lay the grounds.
Will you work on jail/jail.conf to also pick the right set for devfs depending on whether the vnet option is given? If not you should given @jamie a ping6.

jail (and ezjail) already make it possible to set the desired devise rules, so in that respect it's already done.
jail defaults to devfsrules_jail (i.e. 4). We could potentially teach it to automatically use 5 for vnet jails, but I'm a little lost in how jail works myself.