Additional devfs rulesets
Warren Block
wblock at wonkity.com
Sat Jul 26 20:13:28 UTC 2014
On Sat, 26 Jul 2014, Alexander Leidinger wrote:
> On Thu, 24 Jul 2014 10:07:52 -0600 (MDT)
> Warren Block <wblock at wonkity.com> wrote:
>
>> devfsrules_jail is defined in /etc/defaults/devfs.rules, but a new
>> ruleset is needed to unhide bpf devices for using check_dhcp in a
>> jail.
>>
>> It seems clunky to define the new ruleset in /etc/devfs.rules on the
>> host. Is there a more elegant way to define it with the jail
>> (ezjail) settings in /usr/local/etc?
>>
>> Although it would help with keeping devfs rules with the other jail
>> settings, is the need for running services like dhcpd in a jail
>> enough to justify adding a new ruleset for it
>> to /etc/defaults/devfs.rules?
>>
>> [devfsrules_jail_dhcp=5]
>> add include $devfsrules_jail
>> add path 'bpf*' unhide
>
> A while ago I tried to include a ruleset which includes other rulesets
> in another ruleset. It failed. Seems the include is not "multi-level"
> capable (or I did something very wrong back then). So if this doesn't
> work try to unroll the nested includes.
I wondered about that too, but it did work. The devfsrules_jail ruleset
(#4) itself includes earlier-defined sets. However, the rule could not
be specified by name in the ezjail config file:
# did not work
export jail_jailname_devfs_ruleset="devfsrules_jail"
# does work
export jail_jailname_devfs_ruleset="5"
> I'm not aware of another way than /etc/devfs.rules.
If devfs accepted an optional file parameter, additional rulesets could
be defined with for each jail. There might be security implications
with that.
> With bpf available in a jail I would assume you can sniff the entire
> network from the jail, so if you add something in the defaults file you
> should make sure it makes it clear that this "opens" the jail towards
> the network from a security point of view much more than what is
> possible without it.
That's a good point, and another way adding rulesets from other files
could be useful.
More information about the freebsd-jail
mailing list