Re: FreeBSD Security Advisory FreeBSD-SA-14:07.devfs

On 04/30/14 04:09, Matthew Seaman wrote:
> On 04/30/14 05:35, FreeBSD Security Advisories wrote:
>> Then apply the default ruleset for jails on a devfs mount using:
>> 
>> devfs -m ${devfs_mountpoint} rule -s 4 applyset
>> 
>> Or, alternatively, the following command will apply the ruleset
>> over all devfs mountpoints except the host one:
>> 
>> mount -t devfs | grep -v '^devfs on /dev ' | awk '{print $3;}' |
>> \ xargs -n 1 -J % devfs -m % rule -s 4 applyset
>> 
>> After this, the system administrator should add the following
>> configuration to /etc/rc.conf to make it permanent, so the above
>> operations do not have to be done each time the host system
>> reboots.
>> 
>> devfs_load_rulesets="YES"
>> 
> 
> Verb. Sap.  Doing this in a jail where you're running net-snmpd
> will prevent snmpd from starting up correctly.
> 
> Apr 30 12:02:30 xxxxx snmpd[33871]: init_kmem: kvm_openfiles
> failed: /dev/mem: No such file or directory Apr 30 12:02:30 xxxxx
> snmpd[33871]: Agent initialization failed

This is pretty much expected behavior.

The reason is that /dev/mem provides an interface to physical memory,
this would have defeated the purpose of doing jails by definition.

It would be interesting to find out if we could teach net-snmpd to use
alternative methods to access data it needs, e.g. via sysctl I think?
 Not all data are exposed via sysctl at this time, though.

Cheers,
- -- 
Xin LI <delphij@delphij.net>    https://www.delphij.net/
FreeBSD - The Power to Serve!           Live free or die
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"