Site Navigation

Date:      Fri, 22 Mar 2013 00:59:50 +0100
From:      Miroslav Lachman <000.fbsd@quip.cz>
To:        Harald Schmalzbauer <h.schmalzbauer@omnilan.de>,  Jamie Gritton <jamie@freebsd.org>, freebsd-jail@freebsd.org, freebsd-stable@freebsd.org
Subject:   Re: new jail(8) ignoring devfs_ruleset?
Message-ID:  <514B9EF6.3000607@quip.cz>
In-Reply-To: <20130219212430.GA92116@felucia.tataz.chchile.org>
References:  <511E61F5.1000805@omnilan.de> <511EC759.4060704@FreeBSD.org> <5121EC52.5040502@omnilan.de> <20130219212430.GA92116@felucia.tataz.chchile.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Jeremie Le Hen wrote:
> On Mon, Feb 18, 2013 at 09:54:42AM +0100, Harald Schmalzbauer wrote:
>>   schrieb Jamie Gritton am 16.02.2013 00:40 (localtime):
>>> On 02/15/13 09:27, Harald Schmalzbauer wrote:
>>>>    Hello,
>>>>
>>>> like already posted, on 9.1-R, I highly appreciate the new jail(8) and
>>>> jail.conf capabilities. Thanks for that extension!
>>>>
>>>> Accidentally I saw that "devfs_ruleset" seems to be ignored.
>>>> If I list /dev/ I see all the hosts disk devices etc.
>>>> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf.
>>>>     Inside the jail,
>>>> sysctl security.jail.devfs_ruleset returnes "1".
>>>> But like mentioned, I can access all devices...
>>>>
>>>> Thanks for any help,
>>>>
>>>> -Harry
>>>
>>> devfs_ruleset is only used along with mount.devfs - do you also have
>>> that set in jail.conf?
>>
>> Thanks for your response.
>>
>> Yes, I have mount.devfs; set.
>> Otherwise I wouldn't have any device inside my jail. Verified - and like
>> intended, right?
>> Another notable discrepancy: The man page tells that devfs_rulset is "4"
>> by default.
>> But when I don't set devfs_rulset in jail.conf at all, inside the jail,
>> 'sysctl security.jail.devfs_ruleset': 0
>> When set, like mentioned above, it returns the corresponding value, but
>> it doesn't have any effect.
>> How gets devfs_rulset handled? Does jail(8) do the whole job? I'd like
>> to help finding the source, but have missed the whole new jail evolution...
>> Inside my jails, I don't have a fstab, outside I have them defined and
>> enabled with "mount" - and noticed the non-reverted umounting.
>
> Look at what's in /dev from you jail.  There should a few pseudo
> devices (see below), but no real devices:
>
> $ ls /dev
> crypto  log     ptmx    random  stdin   urandom zfs
> fd      null    pts     stderr  stdout  zero

I can confirm mentioned problem on my FreeBSD 9.1-RELEASE amd64 GENERIC

I am now testing new jail.conf possibilities and I am seeing all devices 
in /dev in jail.

Even if I set all this in my jail.conf

exec.start = "/bin/sh /etc/rc";
exec.stop  = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;
devfs_ruleset      = 4;
allow.set_hostname = false;

path            = "/vol0/jail/$name";
exec.consolelog = "/var/log/jail/$name.console";
mount.fstab     = "/etc/fstab.$name";

## Jail bali
bali {
         host.hostname = "bali.XXXXXXX.YY;
         ip4.addr      = xx.xx.xx.xx;
         devfs_ruleset = 4;
}





# jexec 4 tcsh

root@bali:/ # ls -l /dev/
total 4
crw-r--r--  1 root  wheel       0,  35 Mar  1 19:39 acpi
lrwxr-xr-x  1 root  wheel            4 Mar 22 00:46 ad10 -> ada3
lrwxr-xr-x  1 root  wheel            6 Mar 22 00:46 ad10s1 -> ada3s1
lrwxr-xr-x  1 root  wheel            7 Mar 22 00:46 ad10s1a -> ada3s1a
lrwxr-xr-x  1 root  wheel            7 Mar 22 00:46 ad10s1b -> ada3s1b
lrwxr-xr-x  1 root  wheel            7 Mar 22 00:46 ad10s1d -> ada3s1d
lrwxr-xr-x  1 root  wheel            7 Mar 22 00:46 ad10s1e -> ada3s1e
lrwxr-xr-x  1 root  wheel            7 Mar 22 00:46 ad10s1f -> ada3s1f
lrwxr-xr-x  1 root  wheel            7 Mar 22 00:46 ad10s1g -> ada3s1g
lrwxr-xr-x  1 root  wheel            6 Mar 22 00:46 ad10s2 -> ada3s2
lrwxr-xr-x  1 root  wheel            7 Mar 22 00:46 ad10s2a -> ada3s2a
lrwxr-xr-x  1 root  wheel            7 Mar 22 00:46 ad10s2b -> ada3s2b
lrwxr-xr-x  1 root  wheel            7 Mar 22 00:46 ad10s2d -> ada3s2d
lrwxr-xr-x  1 root  wheel            7 Mar 22 00:46 ad10s2e -> ada3s2e
lrwxr-xr-x  1 root  wheel            4 Mar 22 00:46 ad4 -> ada0
lrwxr-xr-x  1 root  wheel            4 Mar 22 00:46 ad6 -> ada1
lrwxr-xr-x  1 root  wheel            4 Mar 22 00:46 ad8 -> ada2
lrwxr-xr-x  1 root  wheel            6 Mar 22 00:46 ad8s1 -> ada2s1
lrwxr-xr-x  1 root  wheel            7 Mar 22 00:46 ad8s1a -> ada2s1a
lrwxr-xr-x  1 root  wheel            7 Mar 22 00:46 ad8s1b -> ada2s1b
lrwxr-xr-x  1 root  wheel            7 Mar 22 00:46 ad8s1d -> ada2s1d
lrwxr-xr-x  1 root  wheel            7 Mar 22 00:46 ad8s1e -> ada2s1e
lrwxr-xr-x  1 root  wheel            7 Mar 22 00:46 ad8s1f -> ada2s1f
lrwxr-xr-x  1 root  wheel            7 Mar 22 00:46 ad8s1g -> ada2s1g
lrwxr-xr-x  1 root  wheel            6 Mar 22 00:46 ad8s2 -> ada2s2
lrwxr-xr-x  1 root  wheel            7 Mar 22 00:46 ad8s2a -> ada2s2a
lrwxr-xr-x  1 root  wheel            7 Mar 22 00:46 ad8s2b -> ada2s2b
lrwxr-xr-x  1 root  wheel            7 Mar 22 00:46 ad8s2d -> ada2s2d
lrwxr-xr-x  1 root  wheel            7 Mar 22 00:46 ad8s2e -> ada2s2e
crw-r-----  1 root  operator    0, 106 Mar  1 19:39 ada0
crw-r-----  1 root  operator    0, 108 Mar  1 19:39 ada1
crw-r-----  1 root  operator    0, 114 Mar  1 19:39 ada2
crw-r-----  1 root  operator    0, 120 Mar  1 19:39 ada2s1
crw-r-----  1 root  operator    0, 130 Mar  1 19:39 ada2s1a
crw-r-----  1 root  operator    0, 132 Mar  1 19:39 ada2s1b
crw-r-----  1 root  operator    0, 134 Mar  1 19:39 ada2s1d
crw-r-----  1 root  operator    0, 136 Mar  1 19:39 ada2s1e
crw-r-----  1 root  operator    0, 138 Mar  1 19:39 ada2s1f
crw-r-----  1 root  operator    0, 140 Mar  1 19:39 ada2s1g
crw-r-----  1 root  operator    0, 122 Mar  1 19:39 ada2s2
crw-r-----  1 root  operator    0, 142 Mar  1 19:39 ada2s2a
crw-r-----  1 root  operator    0, 144 Mar  1 19:39 ada2s2b
crw-r-----  1 root  operator    0, 146 Mar  1 19:39 ada2s2d
crw-r-----  1 root  operator    0, 148 Mar  1 19:39 ada2s2e
crw-r-----  1 root  operator    0, 116 Mar  1 19:39 ada3
crw-r-----  1 root  operator    0, 124 Mar  1 19:39 ada3s1
crw-r-----  1 root  operator    0, 150 Mar  1 19:39 ada3s1a
crw-r-----  1 root  operator    0, 154 Mar  1 19:39 ada3s1b
crw-r-----  1 root  operator    0, 156 Mar  1 19:39 ada3s1d
crw-r-----  1 root  operator    0, 161 Mar  1 19:39 ada3s1e
crw-r-----  1 root  operator    0, 165 Mar  1 19:39 ada3s1f
crw-r-----  1 root  operator    0, 167 Mar  1 19:39 ada3s1g
crw-r-----  1 root  operator    0, 126 Mar  1 19:39 ada3s2
crw-r-----  1 root  operator    0, 170 Mar  1 19:39 ada3s2a
crw-r-----  1 root  operator    0, 173 Mar  1 19:39 ada3s2b
crw-r-----  1 root  operator    0, 175 Mar  1 19:39 ada3s2d
crw-r-----  1 root  operator    0, 177 Mar  1 19:39 ada3s2e
crw-------  1 root  kmem        0,  19 Mar  1 19:39 audit
crw-------  1 root  wheel       0,  11 Mar  1 19:39 bpf
lrwxr-xr-x  1 root  wheel            3 Mar 22 00:46 bpf0 -> bpf
dr-xr-xr-x  2 root  wheel          512 Mar 22 00:46 cam
crw-r-----  1 root  operator    0, 118 Mar  1 19:39 cd0
crw-r-----  1 root  operator    0, 208 Mar  1 19:39 cd1
crw-------  1 root  wheel       0,   5 Mar 22 00:43 console
crw-------  1 root  wheel       0,  60 Mar  1 19:39 consolectl
crw-rw-rw-  1 root  wheel       0,  10 Mar  1 19:39 ctty
crw-rw----  1 uucp  dialer      0,  41 Mar  1 19:39 cuau0
crw-rw----  1 uucp  dialer      0,  42 Mar  1 19:39 cuau0.init
crw-rw----  1 uucp  dialer      0,  43 Mar  1 19:39 cuau0.lock
crw-rw----  1 uucp  dialer      0,  64 Mar  1 19:39 cuau1
crw-rw----  1 uucp  dialer      0,  65 Mar  1 19:39 cuau1.init
crw-rw----  1 uucp  dialer      0,  66 Mar  1 19:39 cuau1.lock
crw-r-----  1 root  operator    0, 209 Mar  1 19:39 da0
crw-r-----  1 root  operator    0, 210 Mar  1 19:39 da1
crw-------  1 root  wheel       0,  20 Mar  1 19:39 dcons
crw-------  1 root  wheel       0,   4 Mar  1 19:39 devctl
cr--------  1 root  wheel       0, 100 Mar  1 19:39 devstat
crw-------  1 root  wheel       0,  21 Mar  1 19:39 dgdb
dr-xr-xr-x  2 root  wheel          512 Mar 22 00:46 fd
crw-------  1 root  wheel       0,  15 Mar  1 19:39 fido
crw-r-----  1 root  operator    0,   3 Mar  1 19:39 geom.ctl
crw-------  1 root  wheel       0,  28 Mar  1 19:39 io
lrwxr-xr-x  1 root  wheel            5 Mar 22 00:46 kbd0 -> ukbd0
lrwxr-xr-x  1 root  wheel            7 Mar 22 00:46 kbd1 -> kbdmux0
crw-------  1 root  wheel       0,  13 Mar  1 19:39 kbdmux0
crw-------  1 root  wheel       0,   9 Mar  1 19:39 klog
crw-r-----  1 root  kmem        0,  17 Mar  1 19:39 kmem
dr-xr-xr-x  2 root  wheel          512 Mar 22 00:46 led
crw-------  1 root  wheel       0,  72 Mar  1 19:39 mdctl
crw-r-----  1 root  kmem        0,  16 Mar  1 19:39 mem
crw-rw-rw-  1 root  wheel       0,   7 Mar  1 19:39 midistat
dr-xr-xr-x  2 root  wheel          512 Mar 22 00:46 mirror
crw-------  1 root  kmem        0,  18 Mar  1 19:39 nfslock
crw-rw-rw-  1 root  wheel       0,  22 Mar 22 00:55 null
crw-------  1 root  operator    0, 101 Mar  1 19:39 pass0
crw-------  1 root  operator    0, 102 Mar  1 19:39 pass1
crw-------  1 root  operator    0, 103 Mar  1 19:39 pass2
crw-------  1 root  operator    0, 104 Mar  1 19:39 pass3
crw-------  1 root  operator    0, 105 Mar  1 19:39 pass4
crw-------  1 root  operator    0, 185 Mar  1 19:39 pass5
crw-------  1 root  operator    0, 206 Mar  1 19:39 pass6
crw-------  1 root  operator    0, 207 Mar  1 19:39 pass7
crw-r--r--  1 root  wheel       0,  24 Mar  1 19:39 pci
crw-------  1 root  wheel       0, 194 Mar  1 19:40 pf
crw-rw-rw-  1 root  wheel       0,  25 Mar  1 19:39 ptmx
dr-xr-xr-x  2 root  wheel          512 Mar 22 00:46 pts
crw-rw-rw-  1 root  wheel       0,  26 Mar  1 20:40 random
cr--r--r--  1 root  wheel       0,   6 Mar  1 19:39 sndstat
lrwxr-xr-x  1 root  wheel            4 Mar 22 00:46 stderr -> fd/2
lrwxr-xr-x  1 root  wheel            4 Mar 22 00:46 stdin -> fd/0
lrwxr-xr-x  1 root  wheel            4 Mar 22 00:46 stdout -> fd/1
crw-------  1 root  wheel       0,   8 Mar  1 19:39 sysmouse
crw-------  1 root  wheel       0,  38 Mar  1 19:39 ttyu0
crw-------  1 root  wheel       0,  39 Mar  1 19:39 ttyu0.init
crw-------  1 root  wheel       0,  40 Mar  1 19:39 ttyu0.lock
crw-------  1 root  wheel       0,  61 Mar  1 19:39 ttyu1
crw-------  1 root  wheel       0,  62 Mar  1 19:39 ttyu1.init
crw-------  1 root  wheel       0,  63 Mar  1 19:39 ttyu1.lock
crw-------  1 root  wheel       0,  44 Mar  1 19:40 ttyv0
crw-------  1 root  wheel       0,  45 Mar  1 19:40 ttyv1
crw-------  1 root  wheel       0,  46 Mar  1 19:40 ttyv2
crw-------  1 root  wheel       0,  47 Mar  1 19:40 ttyv3
crw-------  1 root  wheel       0,  48 Mar  1 19:40 ttyv4
crw-------  1 root  wheel       0,  49 Mar  1 19:40 ttyv5
crw-------  1 root  wheel       0,  50 Mar  1 19:40 ttyv6
crw-------  1 root  wheel       0,  51 Mar  1 19:40 ttyv7
crw-------  1 root  wheel       0,  52 Mar  1 19:39 ttyv8
crw-------  1 root  wheel       0,  53 Mar  1 19:39 ttyv9
crw-------  1 root  wheel       0,  54 Mar  1 19:39 ttyva
crw-------  1 root  wheel       0,  55 Mar  1 19:39 ttyvb
crw-------  1 root  wheel       0,  56 Mar  1 19:39 ttyvc
crw-------  1 root  wheel       0,  57 Mar  1 19:39 ttyvd
crw-------  1 root  wheel       0,  58 Mar  1 19:39 ttyve
crw-------  1 root  wheel       0,  59 Mar  1 19:39 ttyvf
dr-xr-xr-x  2 root  wheel          512 Mar 22 00:46 ufs
dr-xr-xr-x  2 root  wheel          512 Mar 22 00:46 ufsid
lrwxr-xr-x  1 root  wheel            9 Mar 22 00:46 ugen0.1 -> usb/0.1.0
lrwxr-xr-x  1 root  wheel            9 Mar 22 00:46 ugen1.1 -> usb/1.1.0
lrwxr-xr-x  1 root  wheel            9 Mar 22 00:46 ugen1.2 -> usb/1.2.0
lrwxr-xr-x  1 root  wheel            9 Mar 22 00:46 ugen2.1 -> usb/2.1.0
lrwxr-xr-x  1 root  wheel            9 Mar 22 00:46 ugen3.1 -> usb/3.1.0
lrwxr-xr-x  1 root  wheel            9 Mar 22 00:46 ugen3.2 -> usb/3.2.0
lrwxr-xr-x  1 root  wheel            9 Mar 22 00:46 ugen4.1 -> usb/4.1.0
lrwxr-xr-x  1 root  wheel            9 Mar 22 00:46 ugen5.1 -> usb/5.1.0
lrwxr-xr-x  1 root  wheel            9 Mar 22 00:46 ugen6.1 -> usb/6.1.0
lrwxr-xr-x  1 root  wheel            9 Mar 22 00:46 ugen7.1 -> usb/7.1.0
lrwxr-xr-x  1 root  wheel            9 Mar 22 00:46 ugen7.2 -> usb/7.2.0
crw-------  1 root  wheel       0, 163 Mar  1 19:39 ukbd0
crw-r--r--  1 root  operator    0, 169 Mar  1 19:39 ums0
crw-r--r--  1 root  operator    0, 172 Mar  1 19:39 ums1
lrwxr-xr-x  1 root  wheel            6 Mar 22 00:46 urandom -> random
dr-xr-xr-x  2 root  wheel          512 Mar 22 00:46 usb
crw-r--r--  1 root  operator    0,  70 Mar  1 19:39 usbctl
crw-------  1 root  wheel       0,  69 Mar  1 19:39 vboxdrv
crw-------  1 root  wheel       0, 196 Mar  1 19:40 vboxnetctl
crw-------  1 root  operator    0,  71 Mar  1 19:39 xpt0
crw-rw-rw-  1 root  wheel       0,  23 Mar  1 19:39 zero



Is it a problem in my understanding of manpage / configuration, or is it 
a bug in jail command on 9.1-RELEASE?

Miroslav Lachman

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?514B9EF6.3000607>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact