On Thu, 9 Sep 2010, Luiz Gustavo S. Costa wrote:


But I found something that may be unsafe within the jail environment,
I'm allowed to change /dev/pf, so that if I run a "pfctl-f
/etc/pf.conf" inside the jail to do with that the rules are read
again, killing pf.conf on the main environment

yes, see the comment at the top of the patch:

! You should not leak /dev/pf into jails for now or they might
! change your rules;-)

See devfs, devfs.rules, etc.   The jail startup script would usually
apply the devfsrules_jail defines in /etc/defaults/devfs.rules.


Bjoern A. Zeeb                              Welcome a new stage of life.
freebsd-virtualization@freebsd.org mailing list
To unsubscribe, send any mail to 

Reply via email to