From owner-svn-src-head@FreeBSD.ORG Mon Mar 19 08:42:47 2012 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A7CD0106566B; Mon, 19 Mar 2012 08:42:47 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mail.ebusiness-leidinger.de (mail.ebusiness-leidinger.de [217.11.53.44]) by mx1.freebsd.org (Postfix) with ESMTP id 0D4498FC0A; Mon, 19 Mar 2012 08:42:46 +0000 (UTC) Received: from outgoing.leidinger.net (p4FC42C11.dip.t-dialin.net [79.196.44.17]) by mail.ebusiness-leidinger.de (Postfix) with ESMTPSA id 8432F8443EA; Mon, 19 Mar 2012 09:42:25 +0100 (CET) Received: from webmail.leidinger.net (webmail.Leidinger.net [IPv6:fd73:10c7:2053:1::3:102]) by outgoing.leidinger.net (Postfix) with ESMTPS id A42F7229B; Mon, 19 Mar 2012 09:42:22 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=leidinger.net; s=outgoing-alex; t=1332146542; bh=ddW6okA8sja/h692ifDNM9Q1DA44YuyjL1Fttl7zV+c=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=lmiaLxSog5uUEaREBDL+OIDgMAoSoG2AuFCwihFWyVGrCd0rt7QYoo1lYpRsoHWmB YVXeb6KzBuC6iG6UOx6GK3IVYaCCeTgiNLalgUVCVfiryTensIyDCdT/TqfunC06hz wyi+c2frncrnGNcvnxfcGM1/U7GlC4dz/d01QjtEKju1RLapXZ6vGFuYOeDLoTdkZW 2bRLxGl/q6lYnPgBvNmZx9v5WbFI6hH0wVBxzGcQNVdKCZpHJRqRRnuKSPGR1YvNQs 2yetolzHNfh2deH7V7/0MwTGRUPe36iG1LYaQnzKomiR3TJV//eKxmmI9UPwXhYZO7 kHTFOCiiPrgZQ== Received: (from www@localhost) by webmail.leidinger.net (8.14.5/8.14.4/Submit) id q2J8gMBA026961; Mon, 19 Mar 2012 09:42:22 +0100 (CET) (envelope-from Alexander@Leidinger.net) X-Authentication-Warning: webmail.leidinger.net: www set sender to Alexander@Leidinger.net using -f Received: from 195.46.238.194 ([195.46.238.194]) by webmail.leidinger.net (Horde Framework) with HTTP; Mon, 19 Mar 2012 09:42:22 +0100 Date: Mon, 19 Mar 2012 09:42:22 +0100 Message-ID: <20120319094222.Horde.3rlwV5jmRSRPZvFuXTdGj_A@webmail.leidinger.net> From: Alexander Leidinger To: Martin Matuska References: <201203162130.q2GLUQaw035726@svn.freebsd.org> <20120317163539.00004d8f@unknown> <4F6653C6.6020405@FreeBSD.org> <4F665895.1050803@FreeBSD.org> In-Reply-To: <4F665895.1050803@FreeBSD.org> User-Agent: Internet Messaging Program (IMP) H4 (5.0.19) Content-Type: text/plain; charset=ISO-8859-1; format=flowed; DelSp=Yes MIME-Version: 1.0 Content-Disposition: inline X-EBL-MailScanner-Information: Please contact the ISP for more information X-EBL-MailScanner-ID: 8432F8443EA.A0D5F X-EBL-MailScanner: Found to be clean X-EBL-MailScanner-SpamCheck: not spam, spamhaus-ZEN, SpamAssassin (not cached, score=-0.228, required 6, autolearn=disabled, AWL -0.27, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, TW_SV 0.08, TW_ZF 0.08, T_RP_MATCHES_RCVD -0.01) X-EBL-MailScanner-From: alexander@leidinger.net X-EBL-MailScanner-Watermark: 1332751346.18171@5JKY4tctYl98spRQVRaj3A X-EBL-Spam-Status: No Cc: svn-src-head@FreeBSD.org, svn-src-all@FreeBSD.org, src-committers@FreeBSD.org, pjd@FreeBSD.org, jamie@FreeBSD.org Subject: Re: svn commit: r233048 - head/etc/defaults X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2012 08:42:47 -0000 Quoting Martin Matuska (from Sun, 18 Mar 2012 22:50:13 +0100): > On 18.3.2012 22:29, Martin Matuska wrote: >> On 17.3.2012 16:35, Alexander Leidinger wrote: >>> On Fri, 16 Mar 2012 21:30:26 +0000 (UTC) Martin Matuska >>> wrote: >>> >>>> Author: mm >>>> Date: Fri Mar 16 21:30:26 2012 >>>> New Revision: 233048 >>>> URL: http://svn.freebsd.org/changeset/base/233048 >>>> >>>> Log: >>>> Unhide /dev/zfs in devfsrules_jail. >>>> >>>> The /dev/zfs device is required for managing jailed ZFS datasets. >>> This may give more info to a jail (ZFS is in use on this machine) than >>> what someone may want to provide. I have separate rulesets for jails >>> without and with ZFS (actually the one without is the default one and >>> the one with is a new one): >>> ---snip--- >>> ... >>> >>> [devfsrules_unhide_zfs=12] >>> add path zfs unhide >>> >>> ... >>> >>> [devfsrules_jail_withzfs=16] >>> add include $devfsrules_hide_all >>> add include $devfsrules_unhide_basic >>> add include $devfsrules_unhide_login >>> add include $devfsrules_unhide_zfs >>> ---snip--- >>> >>> Anyone with arguments why this may be overly paranoid? If not, I would >>> suggest that we go this way instead. >>> >>> Bye, >>> Alexander. >>> >> The only disclosed information I know of is whether the zfs module is >> loaded on your system. >> Other alternative I was thinking of would be using a new ruleset (e.g. >> devfsrules_jail_zfs=5). >> The disadvantage here is that users that already have defined a ruleset >> with this number should be informed somehow. Well... we always have this issue. If the rulsets in defaults changes, the user has to change his own rulesets. I have a lot of rules on my system and there was at least one occasion where I had to handle a change because of this. I don't remember if there was an entry in UPDATING or not, but I don't think we should make a decission about it based upon if an user has to renumber his rulesets or not. As the rulesets do not need to be continous, we may want to add an advise to the man-page(s) to start at a specifc value for the ruleset-numbers and reserve everything below for the system. I didn't do this myself, and I have a lot of rulesets, for me this falls within 'nice to have but easy to handle'. > Btw. jail has access to sysctl(8) and this discloses a *LOT* of > information, including if ZFS is loaded or not (existence of vfs.zfs) > and all its settings and statistics, hardware devices, geom devices, > network card counters and many more. Compared to this is /dev/zfs really > a minor issue :-) I agree. > Until we limit the output of sysctl() we don't hide this information > just by hiding /dev/zfs. What about not imported pools. Can I see them in jails or are they hidden (I don't have one around to test ATM)? Bye, Alexander. -- Don't drink when you drive -- you might hit a bump and spill it. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137