From nobody@FreeBSD.org  Wed Feb 26 09:47:00 2014
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTPS id 770B598
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 26 Feb 2014 09:47:00 +0000 (UTC)
Received: from newred.freebsd.org (cgiserv.freebsd.org [IPv6:2001:1900:2254:206a::50:4])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.freebsd.org (Postfix) with ESMTPS id 60E781231
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 26 Feb 2014 09:47:00 +0000 (UTC)
Received: from cgiserv.freebsd.org ([127.0.1.6])
	by newred.freebsd.org (8.14.7/8.14.7) with ESMTP id s1Q9kxWC096835
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 26 Feb 2014 09:46:59 GMT
	(envelope-from nobody@cgiserv.freebsd.org)
Received: (from nobody@localhost)
	by cgiserv.freebsd.org (8.14.7/8.14.7/Submit) id s1Q9kxK5096818;
	Wed, 26 Feb 2014 09:46:59 GMT
	(envelope-from nobody)
Message-Id: <201402260946.s1Q9kxK5096818@cgiserv.freebsd.org>
Date: Wed, 26 Feb 2014 09:46:59 GMT
From: Robert Schulze <rs@bytecamp.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: devfs_load_rulesets has to be enabled for mount.devfs to behave like expected
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         187079
>Category:       kern
>Synopsis:       [jail] devfs_load_rulesets has to be enabled for mount.devfs to behave like expected
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-jail
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Feb 26 09:50:00 UTC 2014
>Closed-Date:    Sun May 04 02:54:06 UTC 2014
>Last-Modified:  Sun May 04 02:54:06 UTC 2014
>Originator:     Robert Schulze
>Release:        10.0-RELEASE
>Organization:
>Environment:
FreeBSD hostname 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r262478: Tue Feb 25 13:25:37 CET 2014     root@hostname:/usr/obj/usr/src/sys/JWEB  amd64

>Description:
When mounting devfs into jails via mount.devfs in /etc/jail.conf, it is expected to be assigned the ruleset #4 by default, so that only basic device nodes are accessible inside the jail. However, without explicitly setting devfs_load_rulesets="YES" in /etc/rc.conf, the jail's devfs doesn't get restricted, it will contain all device nodes instead.

>How-To-Repeat:

>Fix:
Either make devfs_load_rulesets="YES" the default in /etc/defaults/rc.conf or clearly state that this has to be set explicitly in the manpage of jail(8).


>Release-Note:
>Audit-Trail:

From: Matthias Meyser <meyser@xenet.de>
To: bug-followup@FreeBSD.org, rs@bytecamp.net, secteam@FreeBSD.org
Cc:  
Subject: Re: misc/187079: devfs_load_rulesets has to be enabled for mount.devfs
 to behave like expected
Date: Thu, 06 Mar 2014 09:17:48 +0100

 I think this should fixed asap or everyone updating
 FreeBSD end up in running insecure jails.
 
 At least there should be a big fat warning in UPDATING.
 
 Better /etc/rc.d/jail should emit a warning.
 
 Best devfs.rules should be loaded as needed.
 This would restore the old behavior an not break POLA.
 
 with regards
     Matthias Meyser
 -- 
 Matthias Meyser            | XeNET GmbH
 Tel.:  +49-5323-9489050    | 38678 Clausthal-Zellerfeld, Marktstrasse 40
 Fax:   +49-5323-94014      | Registergericht: Amtsgericht Braunschweig HRB 
 110823
 Email: Meyser@xenet.de     | Geschaeftsfuehrer: Matthias Meyser
Responsible-Changed-From-To: freebsd-bugs->freebsd-jail 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Mar 9 15:41:47 UTC 2014 
Responsible-Changed-Why:  
reclassify. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=187079 

From: Robert Schulze <rs@bytecamp.net>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: kern/187079: devfs_load_rulesets has to be enabled for mount.devfs
 to behave like expected
Date: Wed, 30 Apr 2014 10:12:18 +0200

 This PR can be closed as of FreeBSD-SA-14:07.devfs
 
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Sun May 4 02:53:09 UTC 2014 
State-Changed-Why:  
From submitter: 

This PR can be closed as of FreeBSD-SA-14:07.devfs . 

http://www.freebsd.org/cgi/query-pr.cgi?pr=187079 
>Unformatted:
