testing 11.0-RC1 vnet jails with ipfilter
Alexander Leidinger
Alexander at leidinger.net
Wed Aug 17 07:45:57 UTC 2016
Quoting CyberLeo Kitsana <cyberleo at cyberleo.net> (from Tue, 16 Aug
2016 16:08:42 -0500):
>> Issuing "ipfstat -hnio command from within the vnet jail gives this
>> message, open(IPSTATE_NAME):no such file or directory.
>
> ipfstat(8) also lists /dev/kmem ; I suspect that including this may be a
> bad idea.
kmem will give access to the complete memory of the host. If your goal
is tighter security (instead of just improved managability due to a
less wide scope of the rules needed), then this is a no-go.
Just adding kmem in the devfs rules will not help anyway, the kernel
disallows access to it even if present in the jail (except you run my
X11-in-a-jail patch and have the corresponding option activated for
the jail).
Bye,
Alexander.
--
http://www.Leidinger.net Alexander at Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org netchild at FreeBSD.org : PGP 0x8F31830F9F2772BF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20160817/a2a69362/attachment.sig>
More information about the freebsd-jail
mailing list