Risks of "unhiding" Device Nodes in devfs.rules for jails?
beebeetles at posteo.de
beebeetles at posteo.de
Sun Aug 22 04:27:09 UTC 2021
Hi all,
I'm trying to understand the implications of "unhiding" device nodes for
jails through `devfs.rules`. In particular, I'm hoping to know if there
are any security risks incurred by unhiding certain device nodes. For
example, if I create a devfs ruleset with the following rule for a vnet
jail:
add path 'bpf*' unhide
will packets going though the host system become visible to the jail?
As another example, if I do `add path 'da*' unhide`, does /dev/da0
become accessible (for read and write) to the jail?
If unhiding device nodes creates no risk, why would one need the ability
to hide device nodes at all?
Thank you.
More information about the freebsd-questions
mailing list