From owner-freebsd-jail@freebsd.org Wed Aug 17 07:45:57 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2966ABBBEAB; Wed, 17 Aug 2016 07:45:57 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mail.ebusiness-leidinger.de (mail.ebusiness-leidinger.de [217.11.53.44]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A42551704; Wed, 17 Aug 2016 07:45:56 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p549CDFED.dip0.t-ipconnect.de [84.156.223.237]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail.ebusiness-leidinger.de (Postfix) with ESMTPSA id 7D7DF83F8A3; Wed, 17 Aug 2016 09:36:43 +0200 (CEST) Received: from webmail.leidinger.net (webmail.Leidinger.net [IPv6:fd73:10c7:2053:1::3:102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by outgoing.leidinger.net (Postfix) with ESMTPS id 4560D3294; Wed, 17 Aug 2016 09:36:16 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=leidinger.net; s=outgoing-alex; t=1471419376; bh=5K7VHqIV9zqMNwntJBTfn6M3KPMnX+5lL3BPve9KhGs=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=usoUNps19l/TtR+wporwypVXgDAdowhQEQL7pZRYFyRCPHw2KNl/+uhfa//5L3qkr mnZYFmaynUwUxr3Zk6j3HDkxgUum5tgAT64ktNonGSNAqorWTX4XfvAO1JsHXpXysM V0XDJeuUCEbW7MKSks0as1mhTTvjkK/Csy5hu6RmMhXzFFehkZJ0DZPRct528jsEfi CBdiLHZHFXg9zVPHLb8qb8S7OSXlz/vxKrN8MpN1wB0SxQlesurMKYvB2qFYyzM/vl lw6ojwnNhhFOXFwkLMCqsfQy/xcyOeM9EsYjy431YpmKYgS3K+vZMVuyozMyGLCW8r ax3WNtQi1TQ9A== Received: (from www@localhost) by webmail.leidinger.net (8.15.2/8.14.4/Submit) id u7H7aFda002453; Wed, 17 Aug 2016 09:36:15 +0200 (CEST) (envelope-from Alexander@leidinger.net) X-Authentication-Warning: webmail.leidinger.net: www set sender to Alexander@leidinger.net using -f Received: from IO.Leidinger.net (IO.Leidinger.net [192.168.1.11]) by webmail.leidinger.net (Horde Framework) with HTTPS; Wed, 17 Aug 2016 09:36:15 +0200 Date: Wed, 17 Aug 2016 09:36:15 +0200 Message-ID: <20160817093615.Horde.6B4nFB_mNqhEm9nGwvdsXWg@webmail.leidinger.net> From: Alexander Leidinger To: CyberLeo Kitsana Cc: Ernie Luzar , "Bjoern A. Zeeb" , freebsd-jail@freebsd.org, Freebsd Questions , krad Subject: Re: testing 11.0-RC1 vnet jails with ipfilter References: <57B1E1BC.4090205@gmail.com> <078403E1-D8A3-4E52-B218-7A8B4400749A@lists.zabbadoz.net> <57B375C6.9030500@gmail.com> In-Reply-To: User-Agent: Horde Application Framework 5 Content-Type: multipart/signed; boundary="=_X7rKGRrDNnXAMuNbjs83Gu9"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 X-EBL-MailScanner-Information: Please contact the ISP for more information X-EBL-MailScanner-ID: 7D7DF83F8A3.A7496 X-EBL-MailScanner: Found to be clean X-EBL-MailScanner-SpamCheck: not spam, spamhaus-ZEN, SpamAssassin (not cached, score=-0.023, required 6, autolearn=disabled, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, TW_EV 0.08) X-EBL-MailScanner-From: alexander@leidinger.net X-EBL-MailScanner-Watermark: 1472024294.4764@8NhI8HpnvocxbvYC6YTyFw X-EBL-Spam-Status: No X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Aug 2016 07:45:57 -0000 This message is in MIME format and has been PGP signed. --=_X7rKGRrDNnXAMuNbjs83Gu9 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting CyberLeo Kitsana (from Tue, 16 Aug=20=20 2016=2016:08:42 -0500): >> Issuing "ipfstat -hnio command from within the vnet jail gives this >> message, open(IPSTATE_NAME):no such file or directory. > > ipfstat(8) also lists /dev/kmem ; I suspect that including this may be a > bad idea. kmem will give access to the complete memory of the host. If your goal=20= =20 is=20tighter security (instead of just improved managability due to a=20=20 less=20wide scope of the rules needed), then this is a no-go. Just adding kmem in the devfs rules will not help anyway, the kernel=20=20 disallows=20access to it even if present in the jail (except you run my=20= =20 X11-in-a-jail=20patch and have the corresponding option activated for=20=20 the=20jail). Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_X7rKGRrDNnXAMuNbjs83Gu9 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJXtBPvAAoJEKrxQhqFIICEHJ0P/2WExXUMwOjM9d9WEz0vD5yj 9UthucksCGMDcxHbsN7Y6VBIxHU/fpmI3dNsm7AI4SZ0WpIhn6P2+sDY146HclOR z2SLtIyftW0Royttx39pQIduG7njXGZQ1tZMo6b5t72l84WdpJHBNxXlMAVT0MxS 1s+QoU/e4oi1KVzZtYtAsrr53EfP6S3fVXhchSF/V076Exsmrto7RNPYIzoQtR3I 5FxPeYA8X4Edx0nUzUVrgeE9qBK1hvkInbarDDXYOX84yHeB7j+7bl2AjJVs2pH1 EynXA64vVqmgcLN2gFpULU++M/j3AS6GFC9aKFnD10GxR7iFuZ1xOJ5DEvpdvs4F cdlmPL8Gx5V0WxvU57WU7ayISZm/7C0JmDjZhYm4YxSQ5kqyzQN+J5tmARH11axQ 9UlzWRNkUrnonFE7EeQ7MtuK5i9PTFA3i+kImS/XOXP+gfAoj3EIV4CW5Mu/LbCK xeDPMjsKB1tYga0HkDX5+2utD4o8DVWgnEhpEDUUxlonyvTVc+w1wmkB5b9DoqBE SeLQTqtwDNPNnnZHQCZD2wCShHvZF7Qhh+t/EIWbVtEfRc/mGKwriOmZjpoyOxJK lgh4qtiaLVesu+yJK/Tt2O28DKDrKXjSy0UFY6hzvDdTdWXo0bCwTEVK6vuAOzE1 Ra4UGYKnZ2mIFodb5V9P =Vx1M -----END PGP SIGNATURE----- --=_X7rKGRrDNnXAMuNbjs83Gu9--