From owner-svn-src-all@FreeBSD.ORG Sun Mar 18 21:50:16 2012 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9963E106566B; Sun, 18 Mar 2012 21:50:16 +0000 (UTC) (envelope-from mm@FreeBSD.org) Received: from mail.vx.sk (mail.vx.sk [IPv6:2a01:4f8:150:6101::4]) by mx1.freebsd.org (Postfix) with ESMTP id 2CEF28FC12; Sun, 18 Mar 2012 21:50:16 +0000 (UTC) Received: from core2.vx.sk (localhost [127.0.0.2]) by mail.vx.sk (Postfix) with ESMTP id 2219619827; Sun, 18 Mar 2012 22:50:15 +0100 (CET) X-Virus-Scanned: amavisd-new at mail.vx.sk Received: from mail.vx.sk by core2.vx.sk (amavisd-new, unix socket) with LMTP id l7tlPgApBQw0; Sun, 18 Mar 2012 22:50:13 +0100 (CET) Received: from [10.9.8.1] (188-167-78-15.dynamic.chello.sk [188.167.78.15]) by mail.vx.sk (Postfix) with ESMTPSA id DDB351981E; Sun, 18 Mar 2012 22:50:12 +0100 (CET) Message-ID: <4F665895.1050803@FreeBSD.org> Date: Sun, 18 Mar 2012 22:50:13 +0100 From: Martin Matuska User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: Alexander Leidinger References: <201203162130.q2GLUQaw035726@svn.freebsd.org> <20120317163539.00004d8f@unknown> <4F6653C6.6020405@FreeBSD.org> In-Reply-To: <4F6653C6.6020405@FreeBSD.org> X-Enigmail-Version: 1.4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, pjd@FreeBSD.org, jamie@FreeBSD.org Subject: Re: svn commit: r233048 - head/etc/defaults X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Mar 2012 21:50:16 -0000 On 18.3.2012 22:29, Martin Matuska wrote: > On 17.3.2012 16:35, Alexander Leidinger wrote: >> On Fri, 16 Mar 2012 21:30:26 +0000 (UTC) Martin Matuska >> wrote: >> >>> Author: mm >>> Date: Fri Mar 16 21:30:26 2012 >>> New Revision: 233048 >>> URL: http://svn.freebsd.org/changeset/base/233048 >>> >>> Log: >>> Unhide /dev/zfs in devfsrules_jail. >>> >>> The /dev/zfs device is required for managing jailed ZFS datasets. >> This may give more info to a jail (ZFS is in use on this machine) than >> what someone may want to provide. I have separate rulesets for jails >> without and with ZFS (actually the one without is the default one and >> the one with is a new one): >> ---snip--- >> ... >> >> [devfsrules_unhide_zfs=12] >> add path zfs unhide >> >> ... >> >> [devfsrules_jail_withzfs=16] >> add include $devfsrules_hide_all >> add include $devfsrules_unhide_basic >> add include $devfsrules_unhide_login >> add include $devfsrules_unhide_zfs >> ---snip--- >> >> Anyone with arguments why this may be overly paranoid? If not, I would >> suggest that we go this way instead. >> >> Bye, >> Alexander. >> > The only disclosed information I know of is whether the zfs module is > loaded on your system. > Other alternative I was thinking of would be using a new ruleset (e.g. > devfsrules_jail_zfs=5). > The disadvantage here is that users that already have defined a ruleset > with this number should be informed somehow. > Btw. jail has access to sysctl(8) and this discloses a *LOT* of information, including if ZFS is loaded or not (existence of vfs.zfs) and all its settings and statistics, hardware devices, geom devices, network card counters and many more. Compared to this is /dev/zfs really a minor issue :-) Until we limit the output of sysctl() we don't hide this information just by hiding /dev/zfs. -- Martin Matuska FreeBSD committer http://blog.vx.sk