On Sat, 26 Jul 2014, Alexander Leidinger wrote:
On Thu, 24 Jul 2014 10:07:52 -0600 (MDT)
Warren Block <wbl...@wonkity.com> wrote:
devfsrules_jail is defined in /etc/defaults/devfs.rules, but a new
ruleset is needed to unhide bpf devices for using check_dhcp in a
jail.
It seems clunky to define the new ruleset in /etc/devfs.rules on the
host. Is there a more elegant way to define it with the jail
(ezjail) settings in /usr/local/etc?
Although it would help with keeping devfs rules with the other jail
settings, is the need for running services like dhcpd in a jail
enough to justify adding a new ruleset for it
to /etc/defaults/devfs.rules?
[devfsrules_jail_dhcp=5]
add include $devfsrules_jail
add path 'bpf*' unhide
A while ago I tried to include a ruleset which includes other rulesets
in another ruleset. It failed. Seems the include is not "multi-level"
capable (or I did something very wrong back then). So if this doesn't
work try to unroll the nested includes.
I wondered about that too, but it did work. The devfsrules_jail ruleset
(#4) itself includes earlier-defined sets. However, the rule could not
be specified by name in the ezjail config file:
# did not work
export jail_jailname_devfs_ruleset="devfsrules_jail"
# does work
export jail_jailname_devfs_ruleset="5"
I'm not aware of another way than /etc/devfs.rules.
If devfs accepted an optional file parameter, additional rulesets could
be defined with for each jail. There might be security implications
with that.
With bpf available in a jail I would assume you can sniff the entire
network from the jail, so if you add something in the defaults file you
should make sure it makes it clear that this "opens" the jail towards
the network from a security point of view much more than what is
possible without it.
That's a good point, and another way adding rulesets from other files
could be useful.
_______________________________________________
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
