Date: Thu, 21 Mar 2013 18:09:51 -0600 From: Jamie Gritton <jamie@FreeBSD.org> To: Miroslav Lachman <000.fbsd@quip.cz> Cc: Harald Schmalzbauer <h.schmalzbauer@omnilan.de>, freebsd-jail@FreeBSD.org, freebsd-stable@FreeBSD.org Subject: Re: new jail(8) ignoring devfs_ruleset? Message-ID: <514BA14F.3090609@FreeBSD.org> In-Reply-To: <514B9EF6.3000607@quip.cz> References: <511E61F5.1000805@omnilan.de> <511EC759.4060704@FreeBSD.org> <5121EC52.5040502@omnilan.de> <20130219212430.GA92116@felucia.tataz.chchile.org> <514B9EF6.3000607@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/21/13 17:59, Miroslav Lachman wrote: > Jeremie Le Hen wrote: >> On Mon, Feb 18, 2013 at 09:54:42AM +0100, Harald Schmalzbauer wrote: >>> schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): >>>> On 02/15/13 09:27, Harald Schmalzbauer wrote: >>>>> Hello, >>>>> >>>>> like already posted, on 9.1-R, I highly appreciate the new jail(8) and >>>>> jail.conf capabilities. Thanks for that extension! >>>>> >>>>> Accidentally I saw that "devfs_ruleset" seems to be ignored. >>>>> If I list /dev/ I see all the hosts disk devices etc. >>>>> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf. >>>>> Inside the jail, >>>>> sysctl security.jail.devfs_ruleset returnes "1". >>>>> But like mentioned, I can access all devices... >>>>> >>>>> Thanks for any help, >>>>> >>>>> -Harry >>>> >>>> devfs_ruleset is only used along with mount.devfs - do you also have >>>> that set in jail.conf? >>> >>> Thanks for your response. >>> >>> Yes, I have mount.devfs; set. >>> Otherwise I wouldn't have any device inside my jail. Verified - and like >>> intended, right? >>> Another notable discrepancy: The man page tells that devfs_rulset is "4" >>> by default. >>> But when I don't set devfs_rulset in jail.conf at all, inside the jail, >>> 'sysctl security.jail.devfs_ruleset': 0 >>> When set, like mentioned above, it returns the corresponding value, but >>> it doesn't have any effect. >>> How gets devfs_rulset handled? Does jail(8) do the whole job? I'd like >>> to help finding the source, but have missed the whole new jail >>> evolution... >>> Inside my jails, I don't have a fstab, outside I have them defined and >>> enabled with "mount" - and noticed the non-reverted umounting. >> >> Look at what's in /dev from you jail. There should a few pseudo >> devices (see below), but no real devices: >> >> $ ls /dev >> crypto log ptmx random stdin urandom zfs >> fd null pts stderr stdout zero > > I can confirm mentioned problem on my FreeBSD 9.1-RELEASE amd64 GENERIC > > I am now testing new jail.conf possibilities and I am seeing all devices > in /dev in jail. > > Even if I set all this in my jail.conf > > exec.start = "/bin/sh /etc/rc"; > exec.stop = "/bin/sh /etc/rc.shutdown"; > exec.clean; > mount.devfs; > devfs_ruleset = 4; > allow.set_hostname = false; > > path = "/vol0/jail/$name"; > exec.consolelog = "/var/log/jail/$name.console"; > mount.fstab = "/etc/fstab.$name"; > > ## Jail bali > bali { > host.hostname = "bali.XXXXXXX.YY; > ip4.addr = xx.xx.xx.xx; > devfs_ruleset = 4; > } > > > > > > # jexec 4 tcsh > > root@bali:/ # ls -l /dev/ > total 4 > crw-r--r-- 1 root wheel 0, 35 Mar 1 19:39 acpi > lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad10 -> ada3 > lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad10s1 -> ada3s1 > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1a -> ada3s1a > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1b -> ada3s1b > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1d -> ada3s1d > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1e -> ada3s1e > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1f -> ada3s1f > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1g -> ada3s1g > lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad10s2 -> ada3s2 > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2a -> ada3s2a > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2b -> ada3s2b > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2d -> ada3s2d > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2e -> ada3s2e > lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad4 -> ada0 > lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad6 -> ada1 > lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad8 -> ada2 > lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad8s1 -> ada2s1 > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1a -> ada2s1a > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1b -> ada2s1b > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1d -> ada2s1d > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1e -> ada2s1e > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1f -> ada2s1f > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1g -> ada2s1g > lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad8s2 -> ada2s2 > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2a -> ada2s2a > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2b -> ada2s2b > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2d -> ada2s2d > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2e -> ada2s2e > crw-r----- 1 root operator 0, 106 Mar 1 19:39 ada0 > crw-r----- 1 root operator 0, 108 Mar 1 19:39 ada1 > crw-r----- 1 root operator 0, 114 Mar 1 19:39 ada2 > crw-r----- 1 root operator 0, 120 Mar 1 19:39 ada2s1 > crw-r----- 1 root operator 0, 130 Mar 1 19:39 ada2s1a > crw-r----- 1 root operator 0, 132 Mar 1 19:39 ada2s1b > crw-r----- 1 root operator 0, 134 Mar 1 19:39 ada2s1d > crw-r----- 1 root operator 0, 136 Mar 1 19:39 ada2s1e > crw-r----- 1 root operator 0, 138 Mar 1 19:39 ada2s1f > crw-r----- 1 root operator 0, 140 Mar 1 19:39 ada2s1g > crw-r----- 1 root operator 0, 122 Mar 1 19:39 ada2s2 > crw-r----- 1 root operator 0, 142 Mar 1 19:39 ada2s2a > crw-r----- 1 root operator 0, 144 Mar 1 19:39 ada2s2b > crw-r----- 1 root operator 0, 146 Mar 1 19:39 ada2s2d > crw-r----- 1 root operator 0, 148 Mar 1 19:39 ada2s2e > crw-r----- 1 root operator 0, 116 Mar 1 19:39 ada3 > crw-r----- 1 root operator 0, 124 Mar 1 19:39 ada3s1 > crw-r----- 1 root operator 0, 150 Mar 1 19:39 ada3s1a > crw-r----- 1 root operator 0, 154 Mar 1 19:39 ada3s1b > crw-r----- 1 root operator 0, 156 Mar 1 19:39 ada3s1d > crw-r----- 1 root operator 0, 161 Mar 1 19:39 ada3s1e > crw-r----- 1 root operator 0, 165 Mar 1 19:39 ada3s1f > crw-r----- 1 root operator 0, 167 Mar 1 19:39 ada3s1g > crw-r----- 1 root operator 0, 126 Mar 1 19:39 ada3s2 > crw-r----- 1 root operator 0, 170 Mar 1 19:39 ada3s2a > crw-r----- 1 root operator 0, 173 Mar 1 19:39 ada3s2b > crw-r----- 1 root operator 0, 175 Mar 1 19:39 ada3s2d > crw-r----- 1 root operator 0, 177 Mar 1 19:39 ada3s2e > crw------- 1 root kmem 0, 19 Mar 1 19:39 audit > crw------- 1 root wheel 0, 11 Mar 1 19:39 bpf > lrwxr-xr-x 1 root wheel 3 Mar 22 00:46 bpf0 -> bpf > dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 cam > crw-r----- 1 root operator 0, 118 Mar 1 19:39 cd0 > crw-r----- 1 root operator 0, 208 Mar 1 19:39 cd1 > crw------- 1 root wheel 0, 5 Mar 22 00:43 console > crw------- 1 root wheel 0, 60 Mar 1 19:39 consolectl > crw-rw-rw- 1 root wheel 0, 10 Mar 1 19:39 ctty > crw-rw---- 1 uucp dialer 0, 41 Mar 1 19:39 cuau0 > crw-rw---- 1 uucp dialer 0, 42 Mar 1 19:39 cuau0.init > crw-rw---- 1 uucp dialer 0, 43 Mar 1 19:39 cuau0.lock > crw-rw---- 1 uucp dialer 0, 64 Mar 1 19:39 cuau1 > crw-rw---- 1 uucp dialer 0, 65 Mar 1 19:39 cuau1.init > crw-rw---- 1 uucp dialer 0, 66 Mar 1 19:39 cuau1.lock > crw-r----- 1 root operator 0, 209 Mar 1 19:39 da0 > crw-r----- 1 root operator 0, 210 Mar 1 19:39 da1 > crw------- 1 root wheel 0, 20 Mar 1 19:39 dcons > crw------- 1 root wheel 0, 4 Mar 1 19:39 devctl > cr-------- 1 root wheel 0, 100 Mar 1 19:39 devstat > crw------- 1 root wheel 0, 21 Mar 1 19:39 dgdb > dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 fd > crw------- 1 root wheel 0, 15 Mar 1 19:39 fido > crw-r----- 1 root operator 0, 3 Mar 1 19:39 geom.ctl > crw------- 1 root wheel 0, 28 Mar 1 19:39 io > lrwxr-xr-x 1 root wheel 5 Mar 22 00:46 kbd0 -> ukbd0 > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 kbd1 -> kbdmux0 > crw------- 1 root wheel 0, 13 Mar 1 19:39 kbdmux0 > crw------- 1 root wheel 0, 9 Mar 1 19:39 klog > crw-r----- 1 root kmem 0, 17 Mar 1 19:39 kmem > dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 led > crw------- 1 root wheel 0, 72 Mar 1 19:39 mdctl > crw-r----- 1 root kmem 0, 16 Mar 1 19:39 mem > crw-rw-rw- 1 root wheel 0, 7 Mar 1 19:39 midistat > dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 mirror > crw------- 1 root kmem 0, 18 Mar 1 19:39 nfslock > crw-rw-rw- 1 root wheel 0, 22 Mar 22 00:55 null > crw------- 1 root operator 0, 101 Mar 1 19:39 pass0 > crw------- 1 root operator 0, 102 Mar 1 19:39 pass1 > crw------- 1 root operator 0, 103 Mar 1 19:39 pass2 > crw------- 1 root operator 0, 104 Mar 1 19:39 pass3 > crw------- 1 root operator 0, 105 Mar 1 19:39 pass4 > crw------- 1 root operator 0, 185 Mar 1 19:39 pass5 > crw------- 1 root operator 0, 206 Mar 1 19:39 pass6 > crw------- 1 root operator 0, 207 Mar 1 19:39 pass7 > crw-r--r-- 1 root wheel 0, 24 Mar 1 19:39 pci > crw------- 1 root wheel 0, 194 Mar 1 19:40 pf > crw-rw-rw- 1 root wheel 0, 25 Mar 1 19:39 ptmx > dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 pts > crw-rw-rw- 1 root wheel 0, 26 Mar 1 20:40 random > cr--r--r-- 1 root wheel 0, 6 Mar 1 19:39 sndstat > lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 stderr -> fd/2 > lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 stdin -> fd/0 > lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 stdout -> fd/1 > crw------- 1 root wheel 0, 8 Mar 1 19:39 sysmouse > crw------- 1 root wheel 0, 38 Mar 1 19:39 ttyu0 > crw------- 1 root wheel 0, 39 Mar 1 19:39 ttyu0.init > crw------- 1 root wheel 0, 40 Mar 1 19:39 ttyu0.lock > crw------- 1 root wheel 0, 61 Mar 1 19:39 ttyu1 > crw------- 1 root wheel 0, 62 Mar 1 19:39 ttyu1.init > crw------- 1 root wheel 0, 63 Mar 1 19:39 ttyu1.lock > crw------- 1 root wheel 0, 44 Mar 1 19:40 ttyv0 > crw------- 1 root wheel 0, 45 Mar 1 19:40 ttyv1 > crw------- 1 root wheel 0, 46 Mar 1 19:40 ttyv2 > crw------- 1 root wheel 0, 47 Mar 1 19:40 ttyv3 > crw------- 1 root wheel 0, 48 Mar 1 19:40 ttyv4 > crw------- 1 root wheel 0, 49 Mar 1 19:40 ttyv5 > crw------- 1 root wheel 0, 50 Mar 1 19:40 ttyv6 > crw------- 1 root wheel 0, 51 Mar 1 19:40 ttyv7 > crw------- 1 root wheel 0, 52 Mar 1 19:39 ttyv8 > crw------- 1 root wheel 0, 53 Mar 1 19:39 ttyv9 > crw------- 1 root wheel 0, 54 Mar 1 19:39 ttyva > crw------- 1 root wheel 0, 55 Mar 1 19:39 ttyvb > crw------- 1 root wheel 0, 56 Mar 1 19:39 ttyvc > crw------- 1 root wheel 0, 57 Mar 1 19:39 ttyvd > crw------- 1 root wheel 0, 58 Mar 1 19:39 ttyve > crw------- 1 root wheel 0, 59 Mar 1 19:39 ttyvf > dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 ufs > dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 ufsid > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen0.1 -> usb/0.1.0 > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen1.1 -> usb/1.1.0 > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen1.2 -> usb/1.2.0 > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen2.1 -> usb/2.1.0 > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen3.1 -> usb/3.1.0 > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen3.2 -> usb/3.2.0 > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen4.1 -> usb/4.1.0 > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen5.1 -> usb/5.1.0 > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen6.1 -> usb/6.1.0 > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen7.1 -> usb/7.1.0 > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen7.2 -> usb/7.2.0 > crw------- 1 root wheel 0, 163 Mar 1 19:39 ukbd0 > crw-r--r-- 1 root operator 0, 169 Mar 1 19:39 ums0 > crw-r--r-- 1 root operator 0, 172 Mar 1 19:39 ums1 > lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 urandom -> random > dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 usb > crw-r--r-- 1 root operator 0, 70 Mar 1 19:39 usbctl > crw------- 1 root wheel 0, 69 Mar 1 19:39 vboxdrv > crw------- 1 root wheel 0, 196 Mar 1 19:40 vboxnetctl > crw------- 1 root operator 0, 71 Mar 1 19:39 xpt0 > crw-rw-rw- 1 root wheel 0, 23 Mar 1 19:39 zero > > > > Is it a problem in my understanding of manpage / configuration, or is it > a bug in jail command on 9.1-RELEASE? > > Miroslav Lachman It's a bug (deficiency) in the jail command. - Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?514BA14F.3090609>