Additional devfs rulesets

[Warren Block]

On Sat, 26 Jul 2014, Alexander Leidinger wrote:

> On Thu, 24 Jul 2014 10:07:52 -0600 (MDT)
> Warren Block <wblock at wonkity.com> wrote:
>
>> devfsrules_jail is defined in /etc/defaults/devfs.rules, but a new
>> ruleset is needed to unhide bpf devices for using check_dhcp in a
>> jail.
>>
>> It seems clunky to define the new ruleset in /etc/devfs.rules on the
>> host.  Is there a more elegant way to define it with the jail
>> (ezjail) settings in /usr/local/etc?
>>
>> Although it would help with keeping devfs rules with the other jail
>> settings, is the need for running services like dhcpd in a jail
>> enough to justify adding a new ruleset for it
>> to /etc/defaults/devfs.rules?
>>
>> [devfsrules_jail_dhcp=5]
>> add include $devfsrules_jail
>> add path 'bpf*' unhide
>
> A while ago I tried to include a ruleset which includes other rulesets
> in another ruleset. It failed. Seems the include is not "multi-level"
> capable (or I did something very wrong back then). So if this doesn't
> work try to unroll the nested includes.

I wondered about that too, but it did work.  The devfsrules_jail ruleset 
(#4) itself includes earlier-defined sets.  However, the rule could not 
be specified by name in the ezjail config file:

   # did not work
   export jail_jailname_devfs_ruleset="devfsrules_jail"
   # does work
   export jail_jailname_devfs_ruleset="5"

> I'm not aware of another way than /etc/devfs.rules.

If devfs accepted an optional file parameter, additional rulesets could 
be defined with for each jail.  There might be security implications 
with that.

> With bpf available in a jail I would assume you can sniff the entire
> network from the jail, so if you add something in the defaults file you
> should make sure it makes it clear that this "opens" the jail towards
> the network from a security point of view much more than what is
> possible without it.

That's a good point, and another way adding rulesets from other files 
could be useful.