devfs ruleset incongruency - a bug?

[loveydovey]

Ok, this is so weird, it's freaking me out right now. I'm stumped.

So I'm writing a devfs ruleset for a Firefox jail.

If I hide devices alphabetically such as `add path 'a*" hide` and unhide only the devices I need, things work great.

I take this very very same ruleset and just insert `add hide` to the top of the ruleset, and it breaks Firefox (get weird geometry fighting/flickering, just not usable).

So what the heck is going on?

What does `add hide` do additionally to what I'm doing with hiding devices alphabetically and unhiding individual devices??

 

[SirDice]

add hide hides every device. Including /dev/zero, /dev/null etc. Some of these might be required for Firefox and you may have forgotten to unhide them.

Instead of making up your own lists, why not include the existing default rules? Like the default "jail" ruleset does:

[devfsrules_jail=4]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path fuse unhide
add path zfs unhide

See /etc/defaults/devfs.rules

 

[loveydovey]

But no, I hide them with `add path 'z*' hide` (for /dev/zero, for example), unhide what I need (/dev/random, ie) and things work great. The very same rules that work great are broken the moment I prepend `add hide` to the ruleset.

EDIT:

Instead of making up your own lists, why not include the existing default rules?

Because I'm a security conscious individual who likes to explore, learn, tinker, etc? It's a good skill to have to be able to create and set/unset your own rulesets on the fly.