From owner-freebsd-jail@FreeBSD.ORG Fri Jul 25 03:55:37 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from hub.FreeBSD.org (hub.freebsd.org [IPv6:2001:1900:2254:206c::16:88]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D774FEDB; Fri, 25 Jul 2014 03:55:36 +0000 (UTC) Date: Thu, 24 Jul 2014 23:55:33 -0400 From: Glen Barber To: Warren Block Subject: Re: check_dhcp Message-ID: <20140725035533.GB1065@hub.FreeBSD.org> References: <20140725032045.GY1065@hub.FreeBSD.org> <20140725033114.GZ1065@hub.FreeBSD.org> <20140725034600.GA1065@hub.FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Tg5qL4DubmxJEzuM" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event User-Agent: Mutt/1.5.23 (2014-03-12) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2014 03:55:37 -0000 --Tg5qL4DubmxJEzuM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 24, 2014 at 09:49:28PM -0600, Warren Block wrote: > On Thu, 24 Jul 2014, Glen Barber wrote: >=20 > >On Thu, Jul 24, 2014 at 09:35:52PM -0600, Warren Block wrote: > >>On Thu, 24 Jul 2014, Glen Barber wrote: > >>>On Thu, Jul 24, 2014 at 09:25:06PM -0600, Warren Block wrote: > >>>>On Thu, 24 Jul 2014, Glen Barber wrote: > >>>>> > >>>>>The problem, I suspect, is that bpf(4) does not exist in the jail. > >>>> > >>>>It's there: > >>>> > >>>># ls -lh /dev/b* > >>>>crw------- 1 root wheel 0x12 Jul 24 21:00 /dev/bpf > >>>>lrwxr-xr-x 1 root wheel 3B Jul 24 20:08 /dev/bpf0 -> bpf > >>>> > >>> > >>>This is within the jail? > >> > >>Yes. It also has allow.raw_sockets=3D1. > > > >Well, I ask, because I think bpf(4) should *not* exist in the jail > >even with allow.raw_sockets=3D1. > > > > # sysctl security.jail.allow_raw_sockets > > security.jail.allow_raw_sockets: 1 > > # ls /dev/bpf* > > ls: No match. >=20 > Yes, I had to unhide it with devfs: >=20 > [devfsrules_jail_dhcp=3D5] > add include $devfsrules_jail > add path 'bpf*' unhide >=20 > And then in /usr/local/etc/ezjail/jailname > export jail_jailname_devfs_ruleset=3D"5" I think dhclient still will not work though, since it is set as 'nojail' in /etc/rc.d/dhclient rc script. Does /var/run/dhclient* stuff exist in the jail, with valid entries? I suspect no, and if yes, I would argue this is a bug that it does. Glen --Tg5qL4DubmxJEzuM Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJT0dU1AAoJELls3eqvi17QnYoP/0o8EOcuB6IzjKBpemBtDR+T 8dHhuxJSWd6CrkT8KoP9ZWaMkeSExJnpBIhrz2JD6aOZTqZBDAmYPJbpVKRravns elZUoDXYQuWLIoDPjYSKEbdLPn1dariCjGlwrfSW0I1kDFl+TUS9MlIjz6ubga9A xkTiRAit1Sk5VNBIG60zGg9kqIrGGBCFSxo5J6Ul7Qcndu6Ld4ZuT2w1S6B9YLhl 8q1OMD/k5i6Lekjo6694VFC7RcGD7b2PNbIdZH9ULe7KYhdjFiGEyaTq73weW+Dm wraZSZdeC36mZgy5a7bRvKnWNopFhS770VTh/gMOQRqsuBBYKhluRUgZmf9zKPys Wllc+xGxUYd6M1iYfPhy7Gp6fnkuyFSpZHY8IbC/Bj3AvEOVyf56GJ92zQmD8mB3 QBq23uAa5E3pYylmweabZ5f3SAsn2C4sZlZabiw6xqYjh0wCDpQE1790OhZJKO/B g4e4aUSSNOakCZkXG9E3/HtjdbC2pNM+ZJa7Vo0Wt66k4OA6cDO09seERq7M3tfN Z30zAXA/PD/HZZIie6XjIrDP60qMFp7OPvEBFL0e6dFYU0MKkFQVR4xvJm0mjYTg cpugrI7gRIb3qCgWGCV9hwsqoZqsejJ3MukIUSEPGv1espiFEYarh7gonGckKeBV UfMvhOdC5KL0MEJkexiz =ZckA -----END PGP SIGNATURE----- --Tg5qL4DubmxJEzuM--