Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mount fdescfs on jail start when mount_fdescfs is set #727

Merged
merged 21 commits into from
May 10, 2019
Merged

Mount fdescfs on jail start when mount_fdescfs is set #727

merged 21 commits into from
May 10, 2019

Conversation

gronke
Copy link
Member

@gronke gronke commented May 8, 2019
edited

Security

  • mount /dev and /dev/fd from within the jail
  • apply security checks before unmounting system mountpoints from a jail

Bugs

  • fix mounting /dev when mount_devfs is enabled
  • fix mounting /dev/fd when mount_fdescfs is enabled
  • include sysvshm, sysvsem and sysvmsg jail params on start

mount_descfs is a /usr/sbin/jail argument, not a Jail parameter. Therefore it is not handled by py-jail and must be manually handled during jail start.

@gronke gronke added the bug label May 8, 2019
igalic
igalic reviewed May 8, 2019
View reviewed changes
Copy link
Collaborator

@igalic igalic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👀

libioc/Config/Jail/BaseConfig.py Outdated Show resolved Hide resolved
libioc/Jail.py Show resolved Hide resolved
@gronke gronke added the security label May 9, 2019
igalic
igalic approved these changes May 9, 2019
View reviewed changes
Copy link
Collaborator

@igalic igalic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i, tentatively approve

requirements.txt Show resolved Hide resolved
libioc/Config/Jail/Globals.py Outdated Show resolved Hide resolved
@gronke gronke force-pushed the fix/mount-fdescfs branch 4 times, most recently from 5b2020a to e2a6bb8 Compare May 9, 2019 16:28
gronke added 13 commits May 9, 2019 18:29
@gronke
sysctl NODE type can have int values
6d45915
@gronke
BaseConfig.is_known_property is a public method
6c31208
@gronke
map disabled, inherit and new values to NODE/INT jail params
c6d405f
@gronke
JailLaunchFailed error can hava a reason
48ba185
@gronke
BaseConfig._get_* methods mark a config property as known
5b32418
@gronke
enhance mount_devfs and mount_fdescfs usability
b306db9
@gronke
Jail handles params with sysctl NODE type
4e2bb1d
@gronke
mount /dev and /dev/fd from within the jail
f781dcc
@gronke
Resource.require_relative path() is a public method
6f33a64
@gronke
fail unmount of insecure jail mountpoints on Storage teardown
14fff55
@gronke
pin Python developer requirement bandit to version 1.5.1
af5704d 
PyCQA/bandit#488
@gronke
pass ruleset mount property when mounting devfs from outside of the jail
21d1fdd
@gronke
decode nmount error message type calling MountFailed exception
6ce4434
@gronke gronke merged commit 8cf772d into master May 10, 2019
@gronke gronke deleted the fix/mount-fdescfs branch May 10, 2019 13:51
@igalic igalic mentioned this pull request May 13, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@igalic igalic igalic approved these changes

Assignees
No one assigned
Labels
bug security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@gronke @igalic