Date: Sat, 26 Jul 2014 19:44:37 +0200 From: Alexander Leidinger <Alexander@Leidinger.net> To: Warren Block <wblock@wonkity.com> Cc: freebsd-jail@FreeBSD.org Subject: Re: Additional devfs rulesets Message-ID: <20140726194437.00000ee4@Leidinger.net> In-Reply-To: <alpine.BSF.2.11.1407240945210.65901@wonkity.com> References: <alpine.BSF.2.11.1407240945210.65901@wonkity.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 24 Jul 2014 10:07:52 -0600 (MDT) Warren Block <wblock@wonkity.com> wrote: > devfsrules_jail is defined in /etc/defaults/devfs.rules, but a new > ruleset is needed to unhide bpf devices for using check_dhcp in a > jail. > > It seems clunky to define the new ruleset in /etc/devfs.rules on the > host. Is there a more elegant way to define it with the jail > (ezjail) settings in /usr/local/etc? > > Although it would help with keeping devfs rules with the other jail > settings, is the need for running services like dhcpd in a jail > enough to justify adding a new ruleset for it > to /etc/defaults/devfs.rules? > > [devfsrules_jail_dhcp=5] > add include $devfsrules_jail > add path 'bpf*' unhide A while ago I tried to include a ruleset which includes other rulesets in another ruleset. It failed. Seems the include is not "multi-level" capable (or I did something very wrong back then). So if this doesn't work try to unroll the nested includes. I'm not aware of another way than /etc/devfs.rules. With bpf available in a jail I would assume you can sniff the entire network from the jail, so if you add something in the defaults file you should make sure it makes it clear that this "opens" the jail towards the network from a security point of view much more than what is possible without it. Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0xC773696B3BAC17DC http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0xC773696B3BAC17DC
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140726194437.00000ee4>