Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 26 Jul 2014 19:44:37 +0200
From:      Alexander Leidinger <Alexander@Leidinger.net>
To:        Warren Block <wblock@wonkity.com>
Cc:        freebsd-jail@FreeBSD.org
Subject:   Re: Additional devfs rulesets
Message-ID:  <20140726194437.00000ee4@Leidinger.net>
In-Reply-To: <alpine.BSF.2.11.1407240945210.65901@wonkity.com>
References:  <alpine.BSF.2.11.1407240945210.65901@wonkity.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 24 Jul 2014 10:07:52 -0600 (MDT)
Warren Block <wblock@wonkity.com> wrote:

> devfsrules_jail is defined in /etc/defaults/devfs.rules, but a new 
> ruleset is needed to unhide bpf devices for using check_dhcp in a
> jail.
> 
> It seems clunky to define the new ruleset in /etc/devfs.rules on the 
> host.  Is there a more elegant way to define it with the jail
> (ezjail) settings in /usr/local/etc?
> 
> Although it would help with keeping devfs rules with the other jail 
> settings, is the need for running services like dhcpd in a jail
> enough to justify adding a new ruleset for it
> to /etc/defaults/devfs.rules?
> 
> [devfsrules_jail_dhcp=5]
> add include $devfsrules_jail
> add path 'bpf*' unhide

A while ago I tried to include a ruleset which includes other rulesets
in another ruleset. It failed. Seems the include is not "multi-level"
capable (or I did something very wrong back then). So if this doesn't
work try to unroll the nested includes.

I'm not aware of another way than /etc/devfs.rules.

With bpf available in a jail I would assume you can sniff the entire
network from the jail, so if you add something in the defaults file you
should make sure it makes it clear that this "opens" the jail towards
the network from a security point of view much more than what is
possible without it.

Bye,
Alexander.

-- 
http://www.Leidinger.net Alexander@Leidinger.net: PGP 0xC773696B3BAC17DC
http://www.FreeBSD.org    netchild@FreeBSD.org  : PGP 0xC773696B3BAC17DC



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140726194437.00000ee4>