Date: Wed, 17 Aug 2016 09:36:15 +0200 From: Alexander Leidinger <Alexander@leidinger.net> To: CyberLeo Kitsana <cyberleo@cyberleo.net> Cc: Ernie Luzar <luzar722@gmail.com>, "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, freebsd-jail@freebsd.org, Freebsd Questions <FreeBSD-questions@freebsd.org>, krad <kraduk@gmail.com> Subject: Re: testing 11.0-RC1 vnet jails with ipfilter Message-ID: <20160817093615.Horde.6B4nFB_mNqhEm9nGwvdsXWg@webmail.leidinger.net> In-Reply-To: <b640b4fa-ba88-9fde-41a0-339d9d4a897b@cyberleo.net> References: <57B1E1BC.4090205@gmail.com> <078403E1-D8A3-4E52-B218-7A8B4400749A@lists.zabbadoz.net> <CALfReyeR_4pM6FsrFZxTbHNoC1_yd3SZW72Ze9Bo354itzEgWQ@mail.gmail.com> <F610E6D1-6622-4E15-98B4-F7AD58EEA9CF@lists.zabbadoz.net> <57B375C6.9030500@gmail.com> <b640b4fa-ba88-9fde-41a0-339d9d4a897b@cyberleo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format and has been PGP signed. --=_X7rKGRrDNnXAMuNbjs83Gu9 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting CyberLeo Kitsana <cyberleo@cyberleo.net> (from Tue, 16 Aug=20=20 2016=2016:08:42 -0500): >> Issuing "ipfstat -hnio command from within the vnet jail gives this >> message, open(IPSTATE_NAME):no such file or directory. > > ipfstat(8) also lists /dev/kmem ; I suspect that including this may be a > bad idea. kmem will give access to the complete memory of the host. If your goal=20= =20 is=20tighter security (instead of just improved managability due to a=20=20 less=20wide scope of the rules needed), then this is a no-go. Just adding kmem in the devfs rules will not help anyway, the kernel=20=20 disallows=20access to it even if present in the jail (except you run my=20= =20 X11-in-a-jail=20patch and have the corresponding option activated for=20=20 the=20jail). Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_X7rKGRrDNnXAMuNbjs83Gu9 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJXtBPvAAoJEKrxQhqFIICEHJ0P/2WExXUMwOjM9d9WEz0vD5yj 9UthucksCGMDcxHbsN7Y6VBIxHU/fpmI3dNsm7AI4SZ0WpIhn6P2+sDY146HclOR z2SLtIyftW0Royttx39pQIduG7njXGZQ1tZMo6b5t72l84WdpJHBNxXlMAVT0MxS 1s+QoU/e4oi1KVzZtYtAsrr53EfP6S3fVXhchSF/V076Exsmrto7RNPYIzoQtR3I 5FxPeYA8X4Edx0nUzUVrgeE9qBK1hvkInbarDDXYOX84yHeB7j+7bl2AjJVs2pH1 EynXA64vVqmgcLN2gFpULU++M/j3AS6GFC9aKFnD10GxR7iFuZ1xOJ5DEvpdvs4F cdlmPL8Gx5V0WxvU57WU7ayISZm/7C0JmDjZhYm4YxSQ5kqyzQN+J5tmARH11axQ 9UlzWRNkUrnonFE7EeQ7MtuK5i9PTFA3i+kImS/XOXP+gfAoj3EIV4CW5Mu/LbCK xeDPMjsKB1tYga0HkDX5+2utD4o8DVWgnEhpEDUUxlonyvTVc+w1wmkB5b9DoqBE SeLQTqtwDNPNnnZHQCZD2wCShHvZF7Qhh+t/EIWbVtEfRc/mGKwriOmZjpoyOxJK lgh4qtiaLVesu+yJK/Tt2O28DKDrKXjSy0UFY6hzvDdTdWXo0bCwTEVK6vuAOzE1 Ra4UGYKnZ2mIFodb5V9P =Vx1M -----END PGP SIGNATURE----- --=_X7rKGRrDNnXAMuNbjs83Gu9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160817093615.Horde.6B4nFB_mNqhEm9nGwvdsXWg>