Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 24 Jul 2014 23:55:33 -0400
From:      Glen Barber <gjb@FreeBSD.org>
To:        Warren Block <wblock@wonkity.com>
Cc:        freebsd-jail@FreeBSD.org
Subject:   Re: check_dhcp
Message-ID:  <20140725035533.GB1065@hub.FreeBSD.org>
In-Reply-To: <alpine.BSF.2.11.1407242147440.3624@wonkity.com>
References:  <alpine.BSF.2.11.1407242042240.3624@wonkity.com> <20140725032045.GY1065@hub.FreeBSD.org> <alpine.BSF.2.11.1407242122540.3624@wonkity.com> <20140725033114.GZ1065@hub.FreeBSD.org> <alpine.BSF.2.11.1407242132590.3624@wonkity.com> <20140725034600.GA1065@hub.FreeBSD.org> <alpine.BSF.2.11.1407242147440.3624@wonkity.com>

next in thread | previous in thread | raw e-mail | index | archive | help

--Tg5qL4DubmxJEzuM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jul 24, 2014 at 09:49:28PM -0600, Warren Block wrote:
> On Thu, 24 Jul 2014, Glen Barber wrote:
>=20
> >On Thu, Jul 24, 2014 at 09:35:52PM -0600, Warren Block wrote:
> >>On Thu, 24 Jul 2014, Glen Barber wrote:
> >>>On Thu, Jul 24, 2014 at 09:25:06PM -0600, Warren Block wrote:
> >>>>On Thu, 24 Jul 2014, Glen Barber wrote:
> >>>>>
> >>>>>The problem, I suspect, is that bpf(4) does not exist in the jail.
> >>>>
> >>>>It's there:
> >>>>
> >>>># ls -lh /dev/b*
> >>>>crw-------  1 root  wheel   0x12 Jul 24 21:00 /dev/bpf
> >>>>lrwxr-xr-x  1 root  wheel     3B Jul 24 20:08 /dev/bpf0 -> bpf
> >>>>
> >>>
> >>>This is within the jail?
> >>
> >>Yes.  It also has allow.raw_sockets=3D1.
> >
> >Well, I ask, because I think bpf(4) should *not* exist in the jail
> >even with allow.raw_sockets=3D1.
> >
> >   # sysctl security.jail.allow_raw_sockets
> >   security.jail.allow_raw_sockets: 1
> >   # ls /dev/bpf*
> >   ls: No match.
>=20
> Yes, I had to unhide it with devfs:
>=20
>   [devfsrules_jail_dhcp=3D5]
>   add include $devfsrules_jail
>   add path 'bpf*' unhide
>=20
> And then in /usr/local/etc/ezjail/jailname
>   export jail_jailname_devfs_ruleset=3D"5"

I think dhclient still will not work though, since it is set as 'nojail'
in /etc/rc.d/dhclient rc script.

Does /var/run/dhclient* stuff exist in the jail, with valid entries?

I suspect no, and if yes, I would argue this is a bug that it does.

Glen


--Tg5qL4DubmxJEzuM
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJT0dU1AAoJELls3eqvi17QnYoP/0o8EOcuB6IzjKBpemBtDR+T
8dHhuxJSWd6CrkT8KoP9ZWaMkeSExJnpBIhrz2JD6aOZTqZBDAmYPJbpVKRravns
elZUoDXYQuWLIoDPjYSKEbdLPn1dariCjGlwrfSW0I1kDFl+TUS9MlIjz6ubga9A
xkTiRAit1Sk5VNBIG60zGg9kqIrGGBCFSxo5J6Ul7Qcndu6Ld4ZuT2w1S6B9YLhl
8q1OMD/k5i6Lekjo6694VFC7RcGD7b2PNbIdZH9ULe7KYhdjFiGEyaTq73weW+Dm
wraZSZdeC36mZgy5a7bRvKnWNopFhS770VTh/gMOQRqsuBBYKhluRUgZmf9zKPys
Wllc+xGxUYd6M1iYfPhy7Gp6fnkuyFSpZHY8IbC/Bj3AvEOVyf56GJ92zQmD8mB3
QBq23uAa5E3pYylmweabZ5f3SAsn2C4sZlZabiw6xqYjh0wCDpQE1790OhZJKO/B
g4e4aUSSNOakCZkXG9E3/HtjdbC2pNM+ZJa7Vo0Wt66k4OA6cDO09seERq7M3tfN
Z30zAXA/PD/HZZIie6XjIrDP60qMFp7OPvEBFL0e6dFYU0MKkFQVR4xvJm0mjYTg
cpugrI7gRIb3qCgWGCV9hwsqoZqsejJ3MukIUSEPGv1espiFEYarh7gonGckKeBV
UfMvhOdC5KL0MEJkexiz
=ZckA
-----END PGP SIGNATURE-----

--Tg5qL4DubmxJEzuM--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140725035533.GB1065>