From owner-freebsd-jail@FreeBSD.ORG Thu Jul 24 16:08:00 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D9ED5AB3 for ; Thu, 24 Jul 2014 16:08:00 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 8CD352FDD for ; Thu, 24 Jul 2014 16:08:00 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s6OG7qBS012380 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 24 Jul 2014 10:07:52 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s6OG7q9C012377 for ; Thu, 24 Jul 2014 10:07:52 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Thu, 24 Jul 2014 10:07:52 -0600 (MDT) From: Warren Block To: freebsd-jail@FreeBSD.org Subject: Additional devfs rulesets Message-ID: User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Thu, 24 Jul 2014 10:07:52 -0600 (MDT) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jul 2014 16:08:00 -0000 devfsrules_jail is defined in /etc/defaults/devfs.rules, but a new ruleset is needed to unhide bpf devices for using check_dhcp in a jail. It seems clunky to define the new ruleset in /etc/devfs.rules on the host. Is there a more elegant way to define it with the jail (ezjail) settings in /usr/local/etc? Although it would help with keeping devfs rules with the other jail settings, is the need for running services like dhcpd in a jail enough to justify adding a new ruleset for it to /etc/defaults/devfs.rules? [devfsrules_jail_dhcp=5] add include $devfsrules_jail add path 'bpf*' unhide (untested) From owner-freebsd-jail@FreeBSD.ORG Fri Jul 25 03:14:28 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 564E0554 for ; Fri, 25 Jul 2014 03:14:28 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 069E328A5 for ; Fri, 25 Jul 2014 03:14:27 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s6P3EOJg017448 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 24 Jul 2014 21:14:25 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s6P3EOic017445 for ; Thu, 24 Jul 2014 21:14:24 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Thu, 24 Jul 2014 21:14:24 -0600 (MDT) From: Warren Block To: freebsd-jail@FreeBSD.org Subject: check_dhcp Message-ID: User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Thu, 24 Jul 2014 21:14:25 -0600 (MDT) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2014 03:14:28 -0000 net-mgmt/monitoring-plugins has a check_dhcp program used to test the availability of a remote DHCP server. It has BSD-specific code, but seems fairly dated and only works when all supposedly optional parameters are given. However, it does work on a normal machine: OK: Received 1 DHCPOFFER(s), 1 of 1 requested servers responded, max lease time = 600 sec. But it does not work inside a jail, seeing no offers: CRITICAL: No DHCPOFFERs were received. Raw sockets and bpf are enabled in the jail. dhclient in the jail can actually get a lease. Is there anything else that needs to be configured to allow this to work in a jail? After 'make -C /usr/ports/net-mgmt/monitoring-plugins', the code in question is check_dhcp.c in work/monitoring-plugins-monitoring-plugins-b5611ea/plugins-root. It gives these type of errors: % ./check_dhcp -s 192.168.1.1 Error: if_nametoindex error - Device not configured. % ./check_dhcp -s 192.168.1.1 -i em0 Error: Couldn't get hardware address from em0. sysctl 2 error - No such file or directory. After adding -m , it gives no errors but never sees a response. From owner-freebsd-jail@FreeBSD.ORG Fri Jul 25 03:20:49 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from hub.FreeBSD.org (hub.freebsd.org [IPv6:2001:1900:2254:206c::16:88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 926285F5; Fri, 25 Jul 2014 03:20:48 +0000 (UTC) Date: Thu, 24 Jul 2014 23:20:45 -0400 From: Glen Barber To: Warren Block Subject: Re: check_dhcp Message-ID: <20140725032045.GY1065@hub.FreeBSD.org> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="KH9S6eoVXLBawpUJ" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event User-Agent: Mutt/1.5.23 (2014-03-12) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2014 03:20:49 -0000 --KH9S6eoVXLBawpUJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 24, 2014 at 09:14:24PM -0600, Warren Block wrote: > net-mgmt/monitoring-plugins has a check_dhcp program used to test the > availability of a remote DHCP server. It has BSD-specific code, but seems > fairly dated and only works when all supposedly optional parameters are > given. However, it does work on a normal machine: >=20 > OK: Received 1 DHCPOFFER(s), 1 of 1 requested servers responded, max le= ase time =3D 600 sec. >=20 > But it does not work inside a jail, seeing no offers: >=20 > CRITICAL: No DHCPOFFERs were received. >=20 > Raw sockets and bpf are enabled in the jail. dhclient in the jail can > actually get a lease. Is there anything else that needs to be configured= to > allow this to work in a jail? >=20 >=20 >=20 > After 'make -C /usr/ports/net-mgmt/monitoring-plugins', the code in quest= ion > is check_dhcp.c in > work/monitoring-plugins-monitoring-plugins-b5611ea/plugins-root. It gives > these type of errors: >=20 > % ./check_dhcp -s 192.168.1.1 > Error: if_nametoindex error - Device not configured. >=20 > % ./check_dhcp -s 192.168.1.1 -i em0 > Error: Couldn't get hardware address from em0. sysctl 2 error - No such= file or directory. >=20 > After adding -m , it gives no errors but never sees a > response. The problem, I suspect, is that bpf(4) does not exist in the jail. Glen --KH9S6eoVXLBawpUJ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJT0c0NAAoJELls3eqvi17QjHsP/3m3hBvbsop21I9PWdSwQfa9 H1mTmXT+FJDeuNaA1aSZ3jzqGt0+oqVUVPQ0JBZ8NsGEymrAzPyn8i6d7tg+sNEp m9KFBSr1opaqbr7Cu1Bjp9t/3Vfy3y3bJKFo1xguJK0hP0JIE6iXMtSTxbesA+6t t8dI7R2Dt6jqK7Bdatn7c3MUKz3VOc21BL3X1J4MGJY6yPJSEFe0e9VXsFNNIseR i2K8HvL6OGb4i+XYCYI5VDv6obCguP7KKIaGnVCeuEvDTBxYHQ0HY+KAoAHlwcia hwzI/JwdTDvodvyO2JNYkWkdwdBLihrxI0X3GV1SMaIWC3Lux9IoI1I53iL3jwaN CRsZs2ASKwGOWnBZssDphkEs3wbrVkmOOfX3w+2HNlqxvEFojl49pDTNNqzdU52+ f8mNwJIHxl0GIIifyfg1JFt2AYgePfG6Jg0nSz6jgj4kah1+9nVHXQUAVVhRar75 YgkqXcMKVQe+dOLfuhQXkGulEMxFKozqtfb5CRhjvn4qyzWpkc/IUY54ruJMtyAg JDAhLi3OK8wfG4KOIWxAJsWy4rM6+fWHzq9nn5B/lnF8pMT3QDdbopqm/9sLrt/S T0VcW0AqP38rINaersw/TyIGsYj5LE+SfShP8xGOkYHrwNWzC50YftPHKr+pU2pZ 4qG6bmx3P8Ltkr+kphMI =Ewnu -----END PGP SIGNATURE----- --KH9S6eoVXLBawpUJ-- From owner-freebsd-jail@FreeBSD.ORG Fri Jul 25 03:25:08 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 387A5856; Fri, 25 Jul 2014 03:25:08 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id DADFE2971; Fri, 25 Jul 2014 03:25:07 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s6P3P6o4020092 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 24 Jul 2014 21:25:06 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s6P3P6Sq020089; Thu, 24 Jul 2014 21:25:06 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Thu, 24 Jul 2014 21:25:06 -0600 (MDT) From: Warren Block To: Glen Barber Subject: Re: check_dhcp In-Reply-To: <20140725032045.GY1065@hub.FreeBSD.org> Message-ID: References: <20140725032045.GY1065@hub.FreeBSD.org> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Thu, 24 Jul 2014 21:25:06 -0600 (MDT) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2014 03:25:08 -0000 On Thu, 24 Jul 2014, Glen Barber wrote: > On Thu, Jul 24, 2014 at 09:14:24PM -0600, Warren Block wrote: >> net-mgmt/monitoring-plugins has a check_dhcp program used to test the >> availability of a remote DHCP server. It has BSD-specific code, but seems >> fairly dated and only works when all supposedly optional parameters are >> given. However, it does work on a normal machine: >> >> OK: Received 1 DHCPOFFER(s), 1 of 1 requested servers responded, max lease time = 600 sec. >> >> But it does not work inside a jail, seeing no offers: >> >> CRITICAL: No DHCPOFFERs were received. >> >> Raw sockets and bpf are enabled in the jail. dhclient in the jail can >> actually get a lease. Is there anything else that needs to be configured to >> allow this to work in a jail? >> >> >> >> After 'make -C /usr/ports/net-mgmt/monitoring-plugins', the code in question >> is check_dhcp.c in >> work/monitoring-plugins-monitoring-plugins-b5611ea/plugins-root. It gives >> these type of errors: >> >> % ./check_dhcp -s 192.168.1.1 >> Error: if_nametoindex error - Device not configured. >> >> % ./check_dhcp -s 192.168.1.1 -i em0 >> Error: Couldn't get hardware address from em0. sysctl 2 error - No such file or directory. >> >> After adding -m , it gives no errors but never sees a >> response. > > The problem, I suspect, is that bpf(4) does not exist in the jail. It's there: # ls -lh /dev/b* crw------- 1 root wheel 0x12 Jul 24 21:00 /dev/bpf lrwxr-xr-x 1 root wheel 3B Jul 24 20:08 /dev/bpf0 -> bpf dhclient would not work without it, I think. But something else is different between the jail and a real machine. From owner-freebsd-jail@FreeBSD.ORG Fri Jul 25 03:31:19 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from hub.FreeBSD.org (hub.freebsd.org [IPv6:2001:1900:2254:206c::16:88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 97DDF97D; Fri, 25 Jul 2014 03:31:18 +0000 (UTC) Date: Thu, 24 Jul 2014 23:31:14 -0400 From: Glen Barber To: Warren Block Subject: Re: check_dhcp Message-ID: <20140725033114.GZ1065@hub.FreeBSD.org> References: <20140725032045.GY1065@hub.FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="lBR2yNlwcY132B3M" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event User-Agent: Mutt/1.5.23 (2014-03-12) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2014 03:31:19 -0000 --lBR2yNlwcY132B3M Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 24, 2014 at 09:25:06PM -0600, Warren Block wrote: > On Thu, 24 Jul 2014, Glen Barber wrote: >=20 > >On Thu, Jul 24, 2014 at 09:14:24PM -0600, Warren Block wrote: > >>net-mgmt/monitoring-plugins has a check_dhcp program used to test the > >>availability of a remote DHCP server. It has BSD-specific code, but se= ems > >>fairly dated and only works when all supposedly optional parameters are > >>given. However, it does work on a normal machine: > >> > >> OK: Received 1 DHCPOFFER(s), 1 of 1 requested servers responded, max = lease time =3D 600 sec. > >> > >>But it does not work inside a jail, seeing no offers: > >> > >> CRITICAL: No DHCPOFFERs were received. > >> > >>Raw sockets and bpf are enabled in the jail. dhclient in the jail can > >>actually get a lease. Is there anything else that needs to be configur= ed to > >>allow this to work in a jail? > >> > >> > >> > >>After 'make -C /usr/ports/net-mgmt/monitoring-plugins', the code in que= stion > >>is check_dhcp.c in > >>work/monitoring-plugins-monitoring-plugins-b5611ea/plugins-root. It gi= ves > >>these type of errors: > >> > >> % ./check_dhcp -s 192.168.1.1 > >> Error: if_nametoindex error - Device not configured. > >> > >> % ./check_dhcp -s 192.168.1.1 -i em0 > >> Error: Couldn't get hardware address from em0. sysctl 2 error - No su= ch file or directory. > >> > >>After adding -m , it gives no errors but never sees a > >>response. > > > >The problem, I suspect, is that bpf(4) does not exist in the jail. >=20 > It's there: >=20 > # ls -lh /dev/b* > crw------- 1 root wheel 0x12 Jul 24 21:00 /dev/bpf > lrwxr-xr-x 1 root wheel 3B Jul 24 20:08 /dev/bpf0 -> bpf >=20 This is within the jail? > dhclient would not work without it, I think. But something else is > different between the jail and a real machine. Glen --lBR2yNlwcY132B3M Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJT0c+CAAoJELls3eqvi17QHtwP/1l+1okPVixTLggVYzcBRD7E 5Uwnkm6e9dJcRP63i+HvNqYQdT5gdxDh4a7N4sAotUId6HaAoABYXNXuJLjAGzP0 qjcU8Sao/U7hyfy559OvXYV5ST7BtqiGNqz1s1Aznlm3vmpfF8+LyC5uOlJ1bMW/ c8Wt9+ToxSnglY4C1R253TPaVx7LULiufYUbtbGROsoJspLMEgTL6EKTxj8F2UOk tti+9JrFy/x3e9fcwMzLWeeUDfC4fWbj6O3Jge9gnHfX/9tUeX8gjPiVeACSoFvr ujJSfPiJuKt8gnN81ex/8PugbrhrN4sVOAJgDvPq82ngy5fOKEm4kxtReU8sOkPh 623Lx19DnJ/EztoBxyJe2JzmySbGZ7224fG2a7uV9/NQthtvfjlMNhxhsrwO5Z7R FS5xgEvaYRM6J9Hv0WeurNQ0SDimruyMxx9NLtmgoZU+aE8UOkcfLJ3JgJ0wbqE5 bnzO5DyTjWwjvpoRLxPCRrhPvUxW+QFdK55E4vmtyI5/vStPHeHqOIri2c8ZO7xW hw6u/ozchL7sge2oX4JiigDgqV8Oh7LCOik4LCrFo0n0ob6AVtFGrosSesYgQM8m ddG9qWkwXl1To5cxJQG70e5u+rhTIT9YrgdNojxHGpbOCDh+NO8TB16MtCbHo6GL vKEN8t4MVLeyFELFFRtW =Pq18 -----END PGP SIGNATURE----- --lBR2yNlwcY132B3M-- From owner-freebsd-jail@FreeBSD.ORG Fri Jul 25 03:35:54 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 10554A30; Fri, 25 Jul 2014 03:35:54 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B50BA2A46; Fri, 25 Jul 2014 03:35:53 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s6P3ZqQN022788 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 24 Jul 2014 21:35:52 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s6P3ZqPM022785; Thu, 24 Jul 2014 21:35:52 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Thu, 24 Jul 2014 21:35:52 -0600 (MDT) From: Warren Block To: Glen Barber Subject: Re: check_dhcp In-Reply-To: <20140725033114.GZ1065@hub.FreeBSD.org> Message-ID: References: <20140725032045.GY1065@hub.FreeBSD.org> <20140725033114.GZ1065@hub.FreeBSD.org> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Thu, 24 Jul 2014 21:35:52 -0600 (MDT) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2014 03:35:54 -0000 On Thu, 24 Jul 2014, Glen Barber wrote: > On Thu, Jul 24, 2014 at 09:25:06PM -0600, Warren Block wrote: >> On Thu, 24 Jul 2014, Glen Barber wrote: >>> >>> The problem, I suspect, is that bpf(4) does not exist in the jail. >> >> It's there: >> >> # ls -lh /dev/b* >> crw------- 1 root wheel 0x12 Jul 24 21:00 /dev/bpf >> lrwxr-xr-x 1 root wheel 3B Jul 24 20:08 /dev/bpf0 -> bpf >> > > This is within the jail? Yes. It also has allow.raw_sockets=1. From owner-freebsd-jail@FreeBSD.ORG Fri Jul 25 03:46:05 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from hub.FreeBSD.org (hub.freebsd.org [IPv6:2001:1900:2254:206c::16:88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 82F22C39; Fri, 25 Jul 2014 03:46:04 +0000 (UTC) Date: Thu, 24 Jul 2014 23:46:00 -0400 From: Glen Barber To: Warren Block Subject: Re: check_dhcp Message-ID: <20140725034600.GA1065@hub.FreeBSD.org> References: <20140725032045.GY1065@hub.FreeBSD.org> <20140725033114.GZ1065@hub.FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Qesg98+uAFykT7J8" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event User-Agent: Mutt/1.5.23 (2014-03-12) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2014 03:46:05 -0000 --Qesg98+uAFykT7J8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 24, 2014 at 09:35:52PM -0600, Warren Block wrote: > On Thu, 24 Jul 2014, Glen Barber wrote: > >On Thu, Jul 24, 2014 at 09:25:06PM -0600, Warren Block wrote: > >>On Thu, 24 Jul 2014, Glen Barber wrote: > >>> > >>>The problem, I suspect, is that bpf(4) does not exist in the jail. > >> > >>It's there: > >> > >># ls -lh /dev/b* > >>crw------- 1 root wheel 0x12 Jul 24 21:00 /dev/bpf > >>lrwxr-xr-x 1 root wheel 3B Jul 24 20:08 /dev/bpf0 -> bpf > >> > > > >This is within the jail? >=20 > Yes. It also has allow.raw_sockets=3D1. Well, I ask, because I think bpf(4) should *not* exist in the jail even with allow.raw_sockets=3D1. # sysctl security.jail.allow_raw_sockets security.jail.allow_raw_sockets: 1 # ls /dev/bpf* ls: No match. Glen --Qesg98+uAFykT7J8 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJT0dL4AAoJELls3eqvi17QdBsP/1Fe/R2S277BhySbvuRAIoUL sMota9sir8x9g7PwC8h8bMJisxzS2iqG9suyntXA3qi4BvhrlNK2C/nFi4c2DI3C jE5iGkJQw9Wrp4mSK4kJP/3kdaW/XtJSnF/1w0+jvCxSKxpSYWyqHZ0oHcY1XssO ZlzY6a6b+XsTq1+t7xTHy4BJNU3EFBXIwmT8FdzlcFuUa4BeDdh0AjjvrWiHr+Eh 7HT8QZ6yAnqqvDlq8pz2f9TMLODV9AF8YQ0xHS214NjsmnmnkOF/RJiZRt3Mm/aA qdB96YtkhbsD0kDpOAJ+u3lBXVv4O2dwRCOoyzRuqU8cLFDzj2BXcRvsHJ8Xvui7 tks0OVkmUsRzU9i9xBwbodGq5Z0hQqgq46vEJfm1KVGFxMbCMogn6kUGamZlMX9R M393/Lpu7cMj4V+wbOpqL/QamOhFnxLx0mfmiLidOHdGGd5Od9Q2VqnxCeF01hts XhcZssoLPjmUvbXJG7E840q51KgEoiRxMtm7i7nAKsJ2RxJyw2JjB7wgAMhOOa+k 0k7YYBncy1R4lwOQBvUJxXbWyWGzriaPsE79rykPhmgUL/efXA3+HHx1ZhO4t6A5 HK9FVLQFF5rfXirrELTgI7K+hdTLo3ffnvH7Uyr+auwD33U+v5l3PWfdOI8iQ86k RFPgpQuUVRr9+/2/rfFS =yHw8 -----END PGP SIGNATURE----- --Qesg98+uAFykT7J8-- From owner-freebsd-jail@FreeBSD.ORG Fri Jul 25 03:49:30 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 33FEBC96; Fri, 25 Jul 2014 03:49:30 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D7CBB2B33; Fri, 25 Jul 2014 03:49:29 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s6P3nSnL026100 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 24 Jul 2014 21:49:28 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s6P3nSoO026097; Thu, 24 Jul 2014 21:49:28 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Thu, 24 Jul 2014 21:49:28 -0600 (MDT) From: Warren Block To: Glen Barber Subject: Re: check_dhcp In-Reply-To: <20140725034600.GA1065@hub.FreeBSD.org> Message-ID: References: <20140725032045.GY1065@hub.FreeBSD.org> <20140725033114.GZ1065@hub.FreeBSD.org> <20140725034600.GA1065@hub.FreeBSD.org> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Thu, 24 Jul 2014 21:49:28 -0600 (MDT) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2014 03:49:30 -0000 On Thu, 24 Jul 2014, Glen Barber wrote: > On Thu, Jul 24, 2014 at 09:35:52PM -0600, Warren Block wrote: >> On Thu, 24 Jul 2014, Glen Barber wrote: >>> On Thu, Jul 24, 2014 at 09:25:06PM -0600, Warren Block wrote: >>>> On Thu, 24 Jul 2014, Glen Barber wrote: >>>>> >>>>> The problem, I suspect, is that bpf(4) does not exist in the jail. >>>> >>>> It's there: >>>> >>>> # ls -lh /dev/b* >>>> crw------- 1 root wheel 0x12 Jul 24 21:00 /dev/bpf >>>> lrwxr-xr-x 1 root wheel 3B Jul 24 20:08 /dev/bpf0 -> bpf >>>> >>> >>> This is within the jail? >> >> Yes. It also has allow.raw_sockets=1. > > Well, I ask, because I think bpf(4) should *not* exist in the jail > even with allow.raw_sockets=1. > > # sysctl security.jail.allow_raw_sockets > security.jail.allow_raw_sockets: 1 > # ls /dev/bpf* > ls: No match. Yes, I had to unhide it with devfs: [devfsrules_jail_dhcp=5] add include $devfsrules_jail add path 'bpf*' unhide And then in /usr/local/etc/ezjail/jailname export jail_jailname_devfs_ruleset="5" From owner-freebsd-jail@FreeBSD.ORG Fri Jul 25 03:55:37 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from hub.FreeBSD.org (hub.freebsd.org [IPv6:2001:1900:2254:206c::16:88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D774FEDB; Fri, 25 Jul 2014 03:55:36 +0000 (UTC) Date: Thu, 24 Jul 2014 23:55:33 -0400 From: Glen Barber To: Warren Block Subject: Re: check_dhcp Message-ID: <20140725035533.GB1065@hub.FreeBSD.org> References: <20140725032045.GY1065@hub.FreeBSD.org> <20140725033114.GZ1065@hub.FreeBSD.org> <20140725034600.GA1065@hub.FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Tg5qL4DubmxJEzuM" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event User-Agent: Mutt/1.5.23 (2014-03-12) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2014 03:55:37 -0000 --Tg5qL4DubmxJEzuM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 24, 2014 at 09:49:28PM -0600, Warren Block wrote: > On Thu, 24 Jul 2014, Glen Barber wrote: >=20 > >On Thu, Jul 24, 2014 at 09:35:52PM -0600, Warren Block wrote: > >>On Thu, 24 Jul 2014, Glen Barber wrote: > >>>On Thu, Jul 24, 2014 at 09:25:06PM -0600, Warren Block wrote: > >>>>On Thu, 24 Jul 2014, Glen Barber wrote: > >>>>> > >>>>>The problem, I suspect, is that bpf(4) does not exist in the jail. > >>>> > >>>>It's there: > >>>> > >>>># ls -lh /dev/b* > >>>>crw------- 1 root wheel 0x12 Jul 24 21:00 /dev/bpf > >>>>lrwxr-xr-x 1 root wheel 3B Jul 24 20:08 /dev/bpf0 -> bpf > >>>> > >>> > >>>This is within the jail? > >> > >>Yes. It also has allow.raw_sockets=3D1. > > > >Well, I ask, because I think bpf(4) should *not* exist in the jail > >even with allow.raw_sockets=3D1. > > > > # sysctl security.jail.allow_raw_sockets > > security.jail.allow_raw_sockets: 1 > > # ls /dev/bpf* > > ls: No match. >=20 > Yes, I had to unhide it with devfs: >=20 > [devfsrules_jail_dhcp=3D5] > add include $devfsrules_jail > add path 'bpf*' unhide >=20 > And then in /usr/local/etc/ezjail/jailname > export jail_jailname_devfs_ruleset=3D"5" I think dhclient still will not work though, since it is set as 'nojail' in /etc/rc.d/dhclient rc script. Does /var/run/dhclient* stuff exist in the jail, with valid entries? I suspect no, and if yes, I would argue this is a bug that it does. Glen --Tg5qL4DubmxJEzuM Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJT0dU1AAoJELls3eqvi17QnYoP/0o8EOcuB6IzjKBpemBtDR+T 8dHhuxJSWd6CrkT8KoP9ZWaMkeSExJnpBIhrz2JD6aOZTqZBDAmYPJbpVKRravns elZUoDXYQuWLIoDPjYSKEbdLPn1dariCjGlwrfSW0I1kDFl+TUS9MlIjz6ubga9A xkTiRAit1Sk5VNBIG60zGg9kqIrGGBCFSxo5J6Ul7Qcndu6Ld4ZuT2w1S6B9YLhl 8q1OMD/k5i6Lekjo6694VFC7RcGD7b2PNbIdZH9ULe7KYhdjFiGEyaTq73weW+Dm wraZSZdeC36mZgy5a7bRvKnWNopFhS770VTh/gMOQRqsuBBYKhluRUgZmf9zKPys Wllc+xGxUYd6M1iYfPhy7Gp6fnkuyFSpZHY8IbC/Bj3AvEOVyf56GJ92zQmD8mB3 QBq23uAa5E3pYylmweabZ5f3SAsn2C4sZlZabiw6xqYjh0wCDpQE1790OhZJKO/B g4e4aUSSNOakCZkXG9E3/HtjdbC2pNM+ZJa7Vo0Wt66k4OA6cDO09seERq7M3tfN Z30zAXA/PD/HZZIie6XjIrDP60qMFp7OPvEBFL0e6dFYU0MKkFQVR4xvJm0mjYTg cpugrI7gRIb3qCgWGCV9hwsqoZqsejJ3MukIUSEPGv1espiFEYarh7gonGckKeBV UfMvhOdC5KL0MEJkexiz =ZckA -----END PGP SIGNATURE----- --Tg5qL4DubmxJEzuM-- From owner-freebsd-jail@FreeBSD.ORG Fri Jul 25 04:19:55 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B8919461; Fri, 25 Jul 2014 04:19:55 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 655792D81; Fri, 25 Jul 2014 04:19:55 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s6P4JrIN033743 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 24 Jul 2014 22:19:53 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s6P4Jrvd033740; Thu, 24 Jul 2014 22:19:53 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Thu, 24 Jul 2014 22:19:53 -0600 (MDT) From: Warren Block To: Glen Barber Subject: Re: check_dhcp In-Reply-To: <20140725035533.GB1065@hub.FreeBSD.org> Message-ID: References: <20140725032045.GY1065@hub.FreeBSD.org> <20140725033114.GZ1065@hub.FreeBSD.org> <20140725034600.GA1065@hub.FreeBSD.org> <20140725035533.GB1065@hub.FreeBSD.org> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Thu, 24 Jul 2014 22:19:53 -0600 (MDT) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2014 04:19:55 -0000 On Thu, 24 Jul 2014, Glen Barber wrote: > I think dhclient still will not work though, since it is set as 'nojail' > in /etc/rc.d/dhclient rc script. To be clear, what worked was running /sbin/dhclient, not the rc script. It requests and gets a lease, but does not manage to assign the address to the jail's interface. > Does /var/run/dhclient* stuff exist in the jail, with valid entries? It does create a pid file, and a dhclient.leases file in /var/db/. But the lease address is not assigned. > I suspect no, and if yes, I would argue this is a bug that it does. It runs, but toothlessly, which seems about right. :) From owner-freebsd-jail@FreeBSD.ORG Fri Jul 25 04:22:41 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from hub.FreeBSD.org (hub.freebsd.org [IPv6:2001:1900:2254:206c::16:88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 123D5535; Fri, 25 Jul 2014 04:22:40 +0000 (UTC) Date: Fri, 25 Jul 2014 00:22:37 -0400 From: Glen Barber To: Warren Block Subject: Re: check_dhcp Message-ID: <20140725042237.GC1065@hub.FreeBSD.org> References: <20140725032045.GY1065@hub.FreeBSD.org> <20140725033114.GZ1065@hub.FreeBSD.org> <20140725034600.GA1065@hub.FreeBSD.org> <20140725035533.GB1065@hub.FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="TuBLotoxjxNtqonL" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event User-Agent: Mutt/1.5.23 (2014-03-12) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2014 04:22:41 -0000 --TuBLotoxjxNtqonL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 24, 2014 at 10:19:53PM -0600, Warren Block wrote: > On Thu, 24 Jul 2014, Glen Barber wrote: >=20 > >I think dhclient still will not work though, since it is set as 'nojail' > >in /etc/rc.d/dhclient rc script. >=20 > To be clear, what worked was running /sbin/dhclient, not the rc script. It > requests and gets a lease, but does not manage to assign the address to t= he > jail's interface. >=20 Rightfully so. I would be worried if it did.[1] > >Does /var/run/dhclient* stuff exist in the jail, with valid entries? >=20 > It does create a pid file, and a dhclient.leases file in /var/db/. But t= he > lease address is not assigned. >=20 Good, I would be worried about this, as well.[1] > >I suspect no, and if yes, I would argue this is a bug that it does. >=20 > It runs, but toothlessly, which seems about right. :) [1] Consider a shared hosting provider using jail(8), where root access is granted. Such a case should not expect a dhclient(8) to arbitrarily succeed on the network. Glen --TuBLotoxjxNtqonL Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJT0duNAAoJELls3eqvi17QKp0QALmdTeYGzKDPcf91BIvuNEV+ QOqnSPiV5i+Xf0n7Gr03ufA4KbzPH1jfC0S+/pfcPNE8F2diIvlSoAwdsxCOQzNE RO6/XV1MhxFG+nrE6yzPadPQdq/98t3xPPzBUaPaJdeWVxZyiz6ME+pEDmdNy9xc r8JmMjn9afTlUKiHjagIf9uWHAxFIlGWQqVoCyYY4iCvLiiQt3llSeZF2YMrgOSS c7WMSTXeMsSON3HMpKMLB4/fX9XAd6DIZ8TqKFk1NbbuY1s1exBg60O9KjtSNH/t p85SEp1ERvC0BL9vCe3Y4shkqYQlv01qoIaC9uXQ9MNt3OHnFQt5Y7grv17yN3kA KmpeJLraAhk5qUvcTMSt9Of2aVV+7/UZIGI1IuvbyByQuXZj7DrVOfScpptvDTih /nqTS1E5t99uf+6JiMBSImJRn1RKkAW0EOOu45cmrtz8Q8374/7D5uR/juacedgD Z5sMjTbD0A0pczrxXleVFHbzDtaYf29J/dEva516Tuhg866qC7ftv2vvZUFq0KX+ yx1cCy76NTtwlt/Ett+MpIelY6D9PZzLHI+HmSFMXTAS0mKzobNSCHhOV9e6COBv KXovHMQB+GAgKK5Qp7/sFAq4JGk5InxPrpEfsWarz3w+Q/UycwtxL2FoLTBfe5aD 0KU6f+MkWOfU8E+wHUlk =CmEq -----END PGP SIGNATURE----- --TuBLotoxjxNtqonL-- From owner-freebsd-jail@FreeBSD.ORG Sat Jul 26 17:52:25 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 10B95AFA for ; Sat, 26 Jul 2014 17:52:25 +0000 (UTC) Received: from mail.ebusiness-leidinger.de (mail.ebusiness-leidinger.de [217.11.53.44]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B88AD2138 for ; Sat, 26 Jul 2014 17:52:24 +0000 (UTC) Received: from outgoing.leidinger.net (p57BBACBF.dip0.t-ipconnect.de [87.187.172.191]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail.ebusiness-leidinger.de (Postfix) with ESMTPSA id A6863862249; Sat, 26 Jul 2014 19:44:38 +0200 (CEST) Received: from localhost (Titan.Leidinger.net [192.168.1.17]) by outgoing.leidinger.net (Postfix) with ESMTP id D97DE339A; Sat, 26 Jul 2014 19:44:35 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=leidinger.net; s=outgoing-alex; t=1406396676; bh=Rdi0ejvCSvHd/RTUNdH05Dqrfdp9nVvbAIW0ZVwvBRk=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=JC8Z8VWmumSCMvzQEcUMOPjwAEQzhBcuzdJXM98lLEjyUEJ3EOJLTOUgCI/4oTU0A 7vBLOXIl4jp3tkPsu1FC4fUEnj3oIa5pyJ1U9nsYxKN9OEAWQoWxGV+a19HTC91hIR l7RAAc+LWEZH9bLtN7e+vAgemJoPy7GxefrhhXaYEQWJyreyp8xfrmD0wHv8Bb9zXi YBs8ewiqchbd3HrREPwLFWTlyJjBnTpUZj7nizTzSkiwMnU4cYBhLTdiNlZrSmDSzn 0ALsN3p26BbagbiHXifj9HOkN0byze3SNzmhkvpTRFwMFrHuiLV8m4XCrBKP9/l8zh lFs0Q4WbLsAMQ== Date: Sat, 26 Jul 2014 19:44:37 +0200 From: Alexander Leidinger To: Warren Block Subject: Re: Additional devfs rulesets Message-ID: <20140726194437.00000ee4@Leidinger.net> In-Reply-To: References: X-Mailer: Claws Mail 3.9.3-30-gd68093 (GTK+ 2.16.6; i586-pc-mingw32msvc) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-EBL-MailScanner-Information: Please contact the ISP for more information X-EBL-MailScanner-ID: A6863862249.A0994 X-EBL-MailScanner: Found to be clean X-EBL-MailScanner-SpamCheck: not spam, spamhaus-ZEN, SpamAssassin (not cached, score=-0.946, required 6, autolearn=disabled, ALL_TRUSTED -1.00, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, TW_BP 0.08, TW_EV 0.08) X-EBL-MailScanner-From: alexander@leidinger.net X-EBL-MailScanner-Watermark: 1407001479.69805@rgk0vlEOnAu+91c8/yPdlw X-EBL-Spam-Status: No Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Jul 2014 17:52:25 -0000 On Thu, 24 Jul 2014 10:07:52 -0600 (MDT) Warren Block wrote: > devfsrules_jail is defined in /etc/defaults/devfs.rules, but a new > ruleset is needed to unhide bpf devices for using check_dhcp in a > jail. > > It seems clunky to define the new ruleset in /etc/devfs.rules on the > host. Is there a more elegant way to define it with the jail > (ezjail) settings in /usr/local/etc? > > Although it would help with keeping devfs rules with the other jail > settings, is the need for running services like dhcpd in a jail > enough to justify adding a new ruleset for it > to /etc/defaults/devfs.rules? > > [devfsrules_jail_dhcp=5] > add include $devfsrules_jail > add path 'bpf*' unhide A while ago I tried to include a ruleset which includes other rulesets in another ruleset. It failed. Seems the include is not "multi-level" capable (or I did something very wrong back then). So if this doesn't work try to unroll the nested includes. I'm not aware of another way than /etc/devfs.rules. With bpf available in a jail I would assume you can sniff the entire network from the jail, so if you add something in the defaults file you should make sure it makes it clear that this "opens" the jail towards the network from a security point of view much more than what is possible without it. Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0xC773696B3BAC17DC http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0xC773696B3BAC17DC From owner-freebsd-jail@FreeBSD.ORG Sat Jul 26 20:13:28 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 08CB2623 for ; Sat, 26 Jul 2014 20:13:28 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id A9FDF2E0B for ; Sat, 26 Jul 2014 20:13:27 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s6QKDJWL069339 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 26 Jul 2014 14:13:19 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s6QKDJ4V069336; Sat, 26 Jul 2014 14:13:19 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Sat, 26 Jul 2014 14:13:19 -0600 (MDT) From: Warren Block To: Alexander Leidinger Subject: Re: Additional devfs rulesets In-Reply-To: <20140726194437.00000ee4@Leidinger.net> Message-ID: References: <20140726194437.00000ee4@Leidinger.net> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Sat, 26 Jul 2014 14:13:19 -0600 (MDT) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Jul 2014 20:13:28 -0000 On Sat, 26 Jul 2014, Alexander Leidinger wrote: > On Thu, 24 Jul 2014 10:07:52 -0600 (MDT) > Warren Block wrote: > >> devfsrules_jail is defined in /etc/defaults/devfs.rules, but a new >> ruleset is needed to unhide bpf devices for using check_dhcp in a >> jail. >> >> It seems clunky to define the new ruleset in /etc/devfs.rules on the >> host. Is there a more elegant way to define it with the jail >> (ezjail) settings in /usr/local/etc? >> >> Although it would help with keeping devfs rules with the other jail >> settings, is the need for running services like dhcpd in a jail >> enough to justify adding a new ruleset for it >> to /etc/defaults/devfs.rules? >> >> [devfsrules_jail_dhcp=5] >> add include $devfsrules_jail >> add path 'bpf*' unhide > > A while ago I tried to include a ruleset which includes other rulesets > in another ruleset. It failed. Seems the include is not "multi-level" > capable (or I did something very wrong back then). So if this doesn't > work try to unroll the nested includes. I wondered about that too, but it did work. The devfsrules_jail ruleset (#4) itself includes earlier-defined sets. However, the rule could not be specified by name in the ezjail config file: # did not work export jail_jailname_devfs_ruleset="devfsrules_jail" # does work export jail_jailname_devfs_ruleset="5" > I'm not aware of another way than /etc/devfs.rules. If devfs accepted an optional file parameter, additional rulesets could be defined with for each jail. There might be security implications with that. > With bpf available in a jail I would assume you can sniff the entire > network from the jail, so if you add something in the defaults file you > should make sure it makes it clear that this "opens" the jail towards > the network from a security point of view much more than what is > possible without it. That's a good point, and another way adding rulesets from other files could be useful.