jail-safe filesystems

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

jail-safe filesystems

Michael W. Lucas-2
Hi!

I'm writing about filesystems and jails right now, and the docs have
me wondering:

Filesystems marked with "jail" in lsvfs(8) are safe to use inside
jails. Cool.

Is this an "absolutely do not use others within jails" statement, or
is it "don't manage these from jails" rule? Can I leave
enforce_statfs=2 but, say, have the host mount md0 as /tmp for the jail?

I *think* it's an absolute prohibition, but want to be sure before I
declare it to be so. It's the sort of thing I'll get complaints about
if I'm wrong.

Thanks,
==ml

--
Michael W. Lucas https://mwl.io/
author of: Absolute OpenBSD, SSH Mastery, git commit murder,
Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc...
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: jail-safe filesystems

Konstantin Belousov-3
On Wed, Jan 16, 2019 at 03:35:47PM -0500, Michael W. Lucas wrote:

> Hi!
>
> I'm writing about filesystems and jails right now, and the docs have
> me wondering:
>
> Filesystems marked with "jail" in lsvfs(8) are safe to use inside
> jails. Cool.
>
> Is this an "absolutely do not use others within jails" statement, or
> is it "don't manage these from jails" rule? Can I leave
> enforce_statfs=2 but, say, have the host mount md0 as /tmp for the jail?
The mark 'safe to use inside jail' means that the mark author considered
the marked filesystem robust enough to trust the mounting to untrusted
jail root.

For instance, the UFS metadata parsing is *not* robust enough to sustain
trying to mount arbitrary bytes from a volume, or esp. a specially
crafted malicious volumes.  On the other hand, tmpfs is considered safe
because it is synthetic and kernel manages all the (meta)data on its own,
so the only thing that malicious jail root can do is a consumption of the
host memory.

That said, md0 is only a memory-disk device, which filesystem you put on
it, is up to you.  And, personally I recommend to use tmpfs for /tmp, not
async UFS over swap-backed md(4).  The advantage of the former is avoidance
of double-copy and somewhat less locking overhead.

>
> I *think* it's an absolute prohibition, but want to be sure before I
> declare it to be so. It's the sort of thing I'll get complaints about
> if I'm wrong.
>
> Thanks,
> ==ml
>
> --
> Michael W. Lucas https://mwl.io/
> author of: Absolute OpenBSD, SSH Mastery, git commit murder,
> Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc...
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "[hidden email]"
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"