Date: Thu, 24 Jul 2014 23:55:33 -0400 From: Glen Barber <gjb@FreeBSD.org> To: Warren Block <wblock@wonkity.com> Cc: freebsd-jail@FreeBSD.org Subject: Re: check_dhcp Message-ID: <20140725035533.GB1065@hub.FreeBSD.org> In-Reply-To: <alpine.BSF.2.11.1407242147440.3624@wonkity.com> References: <alpine.BSF.2.11.1407242042240.3624@wonkity.com> <20140725032045.GY1065@hub.FreeBSD.org> <alpine.BSF.2.11.1407242122540.3624@wonkity.com> <20140725033114.GZ1065@hub.FreeBSD.org> <alpine.BSF.2.11.1407242132590.3624@wonkity.com> <20140725034600.GA1065@hub.FreeBSD.org> <alpine.BSF.2.11.1407242147440.3624@wonkity.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Tg5qL4DubmxJEzuM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 24, 2014 at 09:49:28PM -0600, Warren Block wrote: > On Thu, 24 Jul 2014, Glen Barber wrote: >=20 > >On Thu, Jul 24, 2014 at 09:35:52PM -0600, Warren Block wrote: > >>On Thu, 24 Jul 2014, Glen Barber wrote: > >>>On Thu, Jul 24, 2014 at 09:25:06PM -0600, Warren Block wrote: > >>>>On Thu, 24 Jul 2014, Glen Barber wrote: > >>>>> > >>>>>The problem, I suspect, is that bpf(4) does not exist in the jail. > >>>> > >>>>It's there: > >>>> > >>>># ls -lh /dev/b* > >>>>crw------- 1 root wheel 0x12 Jul 24 21:00 /dev/bpf > >>>>lrwxr-xr-x 1 root wheel 3B Jul 24 20:08 /dev/bpf0 -> bpf > >>>> > >>> > >>>This is within the jail? > >> > >>Yes. It also has allow.raw_sockets=3D1. > > > >Well, I ask, because I think bpf(4) should *not* exist in the jail > >even with allow.raw_sockets=3D1. > > > > # sysctl security.jail.allow_raw_sockets > > security.jail.allow_raw_sockets: 1 > > # ls /dev/bpf* > > ls: No match. >=20 > Yes, I had to unhide it with devfs: >=20 > [devfsrules_jail_dhcp=3D5] > add include $devfsrules_jail > add path 'bpf*' unhide >=20 > And then in /usr/local/etc/ezjail/jailname > export jail_jailname_devfs_ruleset=3D"5" I think dhclient still will not work though, since it is set as 'nojail' in /etc/rc.d/dhclient rc script. Does /var/run/dhclient* stuff exist in the jail, with valid entries? I suspect no, and if yes, I would argue this is a bug that it does. Glen --Tg5qL4DubmxJEzuM Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJT0dU1AAoJELls3eqvi17QnYoP/0o8EOcuB6IzjKBpemBtDR+T 8dHhuxJSWd6CrkT8KoP9ZWaMkeSExJnpBIhrz2JD6aOZTqZBDAmYPJbpVKRravns elZUoDXYQuWLIoDPjYSKEbdLPn1dariCjGlwrfSW0I1kDFl+TUS9MlIjz6ubga9A xkTiRAit1Sk5VNBIG60zGg9kqIrGGBCFSxo5J6Ul7Qcndu6Ld4ZuT2w1S6B9YLhl 8q1OMD/k5i6Lekjo6694VFC7RcGD7b2PNbIdZH9ULe7KYhdjFiGEyaTq73weW+Dm wraZSZdeC36mZgy5a7bRvKnWNopFhS770VTh/gMOQRqsuBBYKhluRUgZmf9zKPys Wllc+xGxUYd6M1iYfPhy7Gp6fnkuyFSpZHY8IbC/Bj3AvEOVyf56GJ92zQmD8mB3 QBq23uAa5E3pYylmweabZ5f3SAsn2C4sZlZabiw6xqYjh0wCDpQE1790OhZJKO/B g4e4aUSSNOakCZkXG9E3/HtjdbC2pNM+ZJa7Vo0Wt66k4OA6cDO09seERq7M3tfN Z30zAXA/PD/HZZIie6XjIrDP60qMFp7OPvEBFL0e6dFYU0MKkFQVR4xvJm0mjYTg cpugrI7gRIb3qCgWGCV9hwsqoZqsejJ3MukIUSEPGv1espiFEYarh7gonGckKeBV UfMvhOdC5KL0MEJkexiz =ZckA -----END PGP SIGNATURE----- --Tg5qL4DubmxJEzuM--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140725035533.GB1065>