check_dhcp
Glen Barber
gjb at FreeBSD.org
Fri Jul 25 03:55:37 UTC 2014
On Thu, Jul 24, 2014 at 09:49:28PM -0600, Warren Block wrote:
> On Thu, 24 Jul 2014, Glen Barber wrote:
>
> >On Thu, Jul 24, 2014 at 09:35:52PM -0600, Warren Block wrote:
> >>On Thu, 24 Jul 2014, Glen Barber wrote:
> >>>On Thu, Jul 24, 2014 at 09:25:06PM -0600, Warren Block wrote:
> >>>>On Thu, 24 Jul 2014, Glen Barber wrote:
> >>>>>
> >>>>>The problem, I suspect, is that bpf(4) does not exist in the jail.
> >>>>
> >>>>It's there:
> >>>>
> >>>># ls -lh /dev/b*
> >>>>crw------- 1 root wheel 0x12 Jul 24 21:00 /dev/bpf
> >>>>lrwxr-xr-x 1 root wheel 3B Jul 24 20:08 /dev/bpf0 -> bpf
> >>>>
> >>>
> >>>This is within the jail?
> >>
> >>Yes. It also has allow.raw_sockets=1.
> >
> >Well, I ask, because I think bpf(4) should *not* exist in the jail
> >even with allow.raw_sockets=1.
> >
> > # sysctl security.jail.allow_raw_sockets
> > security.jail.allow_raw_sockets: 1
> > # ls /dev/bpf*
> > ls: No match.
>
> Yes, I had to unhide it with devfs:
>
> [devfsrules_jail_dhcp=5]
> add include $devfsrules_jail
> add path 'bpf*' unhide
>
> And then in /usr/local/etc/ezjail/jailname
> export jail_jailname_devfs_ruleset="5"
I think dhclient still will not work though, since it is set as 'nojail'
in /etc/rc.d/dhclient rc script.
Does /var/run/dhclient* stuff exist in the jail, with valid entries?
I suspect no, and if yes, I would argue this is a bug that it does.
Glen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20140724/1b6b0386/attachment.sig>
More information about the freebsd-jail
mailing list