aquarium: Sort out /dev/bpf access

[obiwac]

Access to the Berkeley Packet Filter device is necessary for DHCP (for obvious reasons), but we don't want the aquarium to do much else (i.e. we don't want it snooping around the network traffic of the whole machine).

(But maybe we do want this, #29 )

Solutions to explore:

• Along with aquarium: Use jail VNET's #6, make the aquarium frontend handle DHCP for the aquarium. (This was attempted by vnets #39 but I think the /dev/bpf solution is best after all. But not in the way described by the now crossed second option.) Final solution: BPF access #41
• Temporarily allow access to /dev/bpf to the aquarium. Can now specify devfs rulesets: devfs rulesets #29. That being said, no default ruleset in aquaBSD unhides /dev/bpf, so this still requires more work on the side of the user. I think it's best to lean on the first solution.

To elaborate a bit more on the first solution, it may be possible to assign an IP to the host-side epair interface and then statically assign that IP inside of the aquarium to the other side of that epair interface.

That being said, no default ruleset in aquaBSD unhides /dev/bpf

To address this part in the second solution, we could:

• Check if /dev/bpf is already unhidden (easy, check with access(3)).
• If it is, skip all this.
• Otherwise, just add an unhide rule for /dev/bpf.
• Run dhclient on vnet->internal_epair.
• Hide /dev/bpf again once that's done.