jails Are there any Risks of "unhiding" Device Nodes in devfs.rules for jails?

B

beebeetles

Hi all,

I'm trying to understand the implications of "unhiding" device nodes for jails through devfs.rules. In particular, I'm hoping to know if there are any security risks incurred by unhiding certain device nodes. For example, if I create a devfs ruleset with the following rule for a vnet jail:
add path 'bpf*' unhide
will packets going though the host system become visible to the jail?

As another example, if I do add path 'da*' unhide, does /dev/da0 become accessible (for read and write) to the jail?

If unhiding device nodes creates no risk, why would one need the ability to hide device nodes at all? On the other hand, if unhiding device nodes does reduce security, what would be the best practice to create a jail that has fully-functional (pf, tcpdump, dhclient, etc.) yet fully isolated networking?

Thanks!
 
beebeetles said:
If unhiding device nodes creates no risk, why would one need the ability to hide device nodes at all?
Click to expand...
Doesn't this answer your own question?

beebeetles said:
On the other hand, if unhiding device nodes does reduce security, what would be the best practice to create a jail that has fully-functional (pf, tcpdump, dhclient, etc.) yet fully isolated networking?
Click to expand...
Use a VNET jail.

Code: 
     vnet    Create the jail with its own virtual network stack, with its own
             network interfaces, addresses, routing table, etc.  The kernel
             must have been compiled with the VIMAGE option for this to be
             available.  Possible values are “inherit” to use the system
             network stack, possibly with restricted IP addresses, and “new”
             to create a new network stack.
The GENERIC kernel has VIMAGE enabled.
 
SirDice said:
Use a VNET jail.

Code: 
     vnet    Create the jail with its own virtual network stack, with its own
             network interfaces, addresses, routing table, etc.  The kernel
             must have been compiled with the VIMAGE option for this to be
             available.  Possible values are “inherit” to use the system
             network stack, possibly with restricted IP addresses, and “new”
             to create a new network stack.
The GENERIC kernel has VIMAGE enabled.
Click to expand...
I'm already using a VNET jail. However, for tcpdump to work within the jail, it seems that bpf devices need to be visible from within the jail. My concern is that whether making bpf devices visible in a jail will have the side effect of making packets intended for the host (outside of the jail) accessible to the jailed environment. If the answer is yes, then does it mean that there's no way of enabling tcpdump inside the jail while keeping its networking fully isolated from the host?
 
You must log in or register to reply here.
Back
Top