Should we include ttyu* to devfs_ruleset 3 (devfsrules_unhide_login)?

From: Michael Gmelin <freebsd_at_grem.de>
Date: Sun, 1 Aug 2021 18:52:15 +0200
Hi,

There are many TTY devices in devfsrules_unhide_login=3, but ttyu*
(serial lines) are not part of it.

As a result, certain things won't work as expected when connecting over
a serial console, one example being connecting to a local bhyve vm over
serial console (e.g., `vm console myvm' when using vm-bhyve).

The example that brought this to my attention is using ssh within a
jail that's running inside of a VM, while being connected to that VM
over serial console.

So the setup is:
- FreeBSD 13 host
- bhyve vm running FreeBSD 13 on top
- Jail using mount.devfs running within the bhyve vm, using the default
  devfs_ruleset inside of the bhyve vm (which in turn loads
  devfsrules_jail=4, which includes devfsrules_unhide_login=3).

Now, ssh within that jail won't work, as /dev/tty can't be accessed.

Example (while being connected to the vm over a serial line):

    # jail -c path=/ mount.devfs ip4=inherit command=ssh localhost
    Host key verification failed.
    jail: ssh localhost: failed

Now, adding in an extra rule to ruleset 3:

    # devfs rule -s 3 add 3250 path "ttyu*" unhide

Things work as expected:

    # jail -c path=/ mount.devfs ip4=inherit command=ssh localhost
    The authenticity of host 'localhost (127.0.0.1)' can't be
    established... Are you sure you want to continue connecting
    (yes/no)?

Now the question is, would it make sense to add ttyu* (or at least
ttyu0) to [devfsrules_unhide_login=3] in /etc/defaults/devfs.rules, or
are there any (security) reasons why this might be a bad idea?

Best,
Michael

-- 
Michael Gmelin
Received on Sun Aug 01 2021 - 16:52:15 UTC

Original text of this message