Additional devfs rulesets
Alexander Leidinger
Alexander at Leidinger.net
Sat Jul 26 17:52:25 UTC 2014
On Thu, 24 Jul 2014 10:07:52 -0600 (MDT)
Warren Block <wblock at wonkity.com> wrote:
> devfsrules_jail is defined in /etc/defaults/devfs.rules, but a new
> ruleset is needed to unhide bpf devices for using check_dhcp in a
> jail.
>
> It seems clunky to define the new ruleset in /etc/devfs.rules on the
> host. Is there a more elegant way to define it with the jail
> (ezjail) settings in /usr/local/etc?
>
> Although it would help with keeping devfs rules with the other jail
> settings, is the need for running services like dhcpd in a jail
> enough to justify adding a new ruleset for it
> to /etc/defaults/devfs.rules?
>
> [devfsrules_jail_dhcp=5]
> add include $devfsrules_jail
> add path 'bpf*' unhide
A while ago I tried to include a ruleset which includes other rulesets
in another ruleset. It failed. Seems the include is not "multi-level"
capable (or I did something very wrong back then). So if this doesn't
work try to unroll the nested includes.
I'm not aware of another way than /etc/devfs.rules.
With bpf available in a jail I would assume you can sniff the entire
network from the jail, so if you add something in the defaults file you
should make sure it makes it clear that this "opens" the jail towards
the network from a security point of view much more than what is
possible without it.
Bye,
Alexander.
--
http://www.Leidinger.net Alexander at Leidinger.net: PGP 0xC773696B3BAC17DC
http://www.FreeBSD.org netchild at FreeBSD.org : PGP 0xC773696B3BAC17DC
More information about the freebsd-jail
mailing list