From owner-freebsd-questions@freebsd.org Sun Aug 22 04:27:09 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7B29067E00E for ; Sun, 22 Aug 2021 04:27:09 +0000 (UTC) (envelope-from beebeetles@posteo.de) Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Gsj583bBDz4VJd for ; Sun, 22 Aug 2021 04:27:08 +0000 (UTC) (envelope-from beebeetles@posteo.de) Received: from submission (posteo.de [89.146.220.130]) by mout01.posteo.de (Postfix) with ESMTPS id 8BF02240026 for ; Sun, 22 Aug 2021 06:27:01 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1629606421; bh=v15w/h5dfPXOCNG3xkbC2sPJ3pZh64Otj3XPhMPDz4k=; h=To:From:Subject:Date:From; b=TjFSkDbK/E/8TxUFvhKrcdUQvM+KPNg8Oqj0gUzcOVsCUxLfxqYaC2Fh+w0Fz4HpM RopU1nljYOuTQIBAZlhLR4BeRmhaz5/Ola9tUeWYRrQiF/ZdNRfWa8RAadZAtbTB/q RPI7NM/OB6SCIhYq8erM0mHR9eQcG/S2M/en+76dBhEXXo6IXaL7FFGVDOlMTFl0oP nGjux4sYpnY+Ul93rWev1gCwDQN2NOOVxDCSuEK9nMkrK3g53CzTOm3lPu2kCy4Vro 7qT7iaG+onL7kV4EpnhGjFGGT4uj2bA8FJWArwNmhbRqoJHUhJWYFi3Eozl7DUXoJQ HKJm2tKT6RHDQ== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Gsj504Tcyz6tmN for ; Sun, 22 Aug 2021 06:27:00 +0200 (CEST) To: freebsd-questions@freebsd.org From: beebeetles@posteo.de Subject: Risks of "unhiding" Device Nodes in devfs.rules for jails? Message-ID: Date: Sun, 22 Aug 2021 04:26:57 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-CA Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4Gsj583bBDz4VJd X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=posteo.de header.s=2017 header.b=TjFSkDbK; dmarc=pass (policy=none) header.from=posteo.de; spf=pass (mx1.freebsd.org: domain of beebeetles@posteo.de designates 185.67.36.65 as permitted sender) smtp.mailfrom=beebeetles@posteo.de X-Spamd-Result: default: False [-4.70 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:185.67.36.0/23]; TO_DN_NONE(0.00)[]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; RCVD_COUNT_THREE(0.00)[3]; RCVD_IN_DNSWL_MED(-0.20)[185.67.36.65:from]; DKIM_TRACE(0.00)[posteo.de:+]; DMARC_POLICY_ALLOW(-0.50)[posteo.de,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:8495, ipnet:185.67.36.0/23, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[posteo.de:s=2017]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; DWL_DNSWL_LOW(-1.00)[posteo.de:dkim]; FROM_NO_DN(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[185.67.36.65:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-questions] X-Mailman-Approved-At: Sun, 22 Aug 2021 17:20:28 +0000 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Aug 2021 04:27:09 -0000 Hi all, I'm trying to understand the implications of "unhiding" device nodes for jails through `devfs.rules`. In particular, I'm hoping to know if there are any security risks incurred by unhiding certain device nodes. For example, if I create a devfs ruleset with the following rule for a vnet jail: add path 'bpf*' unhide will packets going though the host system become visible to the jail? As another example, if I do `add path 'da*' unhide`, does /dev/da0 become accessible (for read and write) to the jail? If unhiding device nodes creates no risk, why would one need the ability to hide device nodes at all? Thank you.