From owner-freebsd-jail@FreeBSD.ORG  Fri Jul 25 03:49:30 2014
Return-Path: <owner-freebsd-jail@FreeBSD.ORG>
Delivered-To: freebsd-jail@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 33FEBC96;
 Fri, 25 Jul 2014 03:49:30 +0000 (UTC)
Received: from wonkity.com (wonkity.com [67.158.26.137])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "wonkity.com", Issuer "wonkity.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id D7CBB2B33;
 Fri, 25 Jul 2014 03:49:29 +0000 (UTC)
Received: from wonkity.com (localhost [127.0.0.1])
 by wonkity.com (8.14.9/8.14.9) with ESMTP id s6P3nSnL026100
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Thu, 24 Jul 2014 21:49:28 -0600 (MDT)
 (envelope-from wblock@wonkity.com)
Received: from localhost (wblock@localhost)
 by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s6P3nSoO026097;
 Thu, 24 Jul 2014 21:49:28 -0600 (MDT)
 (envelope-from wblock@wonkity.com)
Date: Thu, 24 Jul 2014 21:49:28 -0600 (MDT)
From: Warren Block <wblock@wonkity.com>
To: Glen Barber <gjb@FreeBSD.org>
Subject: Re: check_dhcp
In-Reply-To: <20140725034600.GA1065@hub.FreeBSD.org>
Message-ID: <alpine.BSF.2.11.1407242147440.3624@wonkity.com>
References: <alpine.BSF.2.11.1407242042240.3624@wonkity.com>
 <20140725032045.GY1065@hub.FreeBSD.org>
 <alpine.BSF.2.11.1407242122540.3624@wonkity.com>
 <20140725033114.GZ1065@hub.FreeBSD.org>
 <alpine.BSF.2.11.1407242132590.3624@wonkity.com>
 <20140725034600.GA1065@hub.FreeBSD.org>
User-Agent: Alpine 2.11 (BSF 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3
 (wonkity.com [127.0.0.1]); Thu, 24 Jul 2014 21:49:28 -0600 (MDT)
Cc: freebsd-jail@FreeBSD.org
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail/>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jul 2014 03:49:30 -0000

On Thu, 24 Jul 2014, Glen Barber wrote:

> On Thu, Jul 24, 2014 at 09:35:52PM -0600, Warren Block wrote:
>> On Thu, 24 Jul 2014, Glen Barber wrote:
>>> On Thu, Jul 24, 2014 at 09:25:06PM -0600, Warren Block wrote:
>>>> On Thu, 24 Jul 2014, Glen Barber wrote:
>>>>>
>>>>> The problem, I suspect, is that bpf(4) does not exist in the jail.
>>>>
>>>> It's there:
>>>>
>>>> # ls -lh /dev/b*
>>>> crw-------  1 root  wheel   0x12 Jul 24 21:00 /dev/bpf
>>>> lrwxr-xr-x  1 root  wheel     3B Jul 24 20:08 /dev/bpf0 -> bpf
>>>>
>>>
>>> This is within the jail?
>>
>> Yes.  It also has allow.raw_sockets=1.
>
> Well, I ask, because I think bpf(4) should *not* exist in the jail
> even with allow.raw_sockets=1.
>
>    # sysctl security.jail.allow_raw_sockets
>    security.jail.allow_raw_sockets: 1
>    # ls /dev/bpf*
>    ls: No match.

Yes, I had to unhide it with devfs:

   [devfsrules_jail_dhcp=5]
   add include $devfsrules_jail
   add path 'bpf*' unhide

And then in /usr/local/etc/ezjail/jailname
   export jail_jailname_devfs_ruleset="5"