Date: Thu, 9 Sep 2010 17:10:48 -0300 From: "Luiz Gustavo S. Costa" <luizgustavo@luizgustavo.pro.br> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: FreeBSD virtualization mailing list <freebsd-virtualization@freebsd.org> Subject: Re: [patch] allow testing VIMAGE with pf in base system only Message-ID: <AANLkTinzOKwuWwtiA5bGvc5sKaHGtBvgJpNvV6_rfqGL@mail.gmail.com> In-Reply-To: <20100909195951.S31898@maildrop.int.zabbadoz.net> References: <20100907164529.O31898@maildrop.int.zabbadoz.net> <AANLkTikheuZs=qNw24Hr8vJ3A1Qo%2Bk-0eHW=cb2c17qi@mail.gmail.com> <20100909195951.S31898@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
lol .... in the rush to see the patch working not read the head of it :p has every reason only disable dev ;) 2010/9/9 Bjoern A. Zeeb <bzeeb-lists@lists.zabbadoz.net>: > On Thu, 9 Sep 2010, Luiz Gustavo S. Costa wrote: > > Hey, > >> But I found something that may be unsafe within the jail environment, >> I'm allowed to change /dev/pf, so that if I run a "pfctl-f >> /etc/pf.conf" inside the jail to do with that the rules are read >> again, killing pf.conf on the main environment > > yes, see the comment at the top of the patch: > > ! You should not leak /dev/pf into jails for now or they might > ! change your rules;-) > > See devfs, devfs.rules, etc. =A0 The jail startup script would usually > apply the devfsrules_jail defines in /etc/defaults/devfs.rules. > > /bz > > -- > Bjoern A. Zeeb =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0Welcome a new stage of life. > --=20 Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: contato@mundounix.com.br Tel: 55 Blog: http://www.luizgustavo.pro.br
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTinzOKwuWwtiA5bGvc5sKaHGtBvgJpNvV6_rfqGL>