From owner-freebsd-jail@FreeBSD.ORG  Sun Nov 17 01:02:29 2013
Return-Path: <owner-freebsd-jail@FreeBSD.ORG>
Delivered-To: freebsd-jail@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 9F697113
 for <freebsd-jail@freebsd.org>; Sun, 17 Nov 2013 01:02:29 +0000 (UTC)
Received: from m2.gritton.org (gritton.org [199.192.164.235])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 827262E99
 for <freebsd-jail@freebsd.org>; Sun, 17 Nov 2013 01:02:28 +0000 (UTC)
Received: from [192.168.0.34] (c-50-168-192-61.hsd1.ut.comcast.net
 [50.168.192.61]) (authenticated bits=0)
 by m2.gritton.org (8.14.7/8.14.7) with ESMTP id rAH12P4S047403;
 Sat, 16 Nov 2013 18:02:25 -0700 (MST)
 (envelope-from jamie@freebsd.org)
Message-ID: <5288159C.1090202@freebsd.org>
Date: Sat, 16 Nov 2013 18:02:20 -0700
From: James Gritton <jamie@freebsd.org>
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64;
 rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: freebsd-jail@freebsd.org
Subject: Re: rc.d/jail not loading default devfs rulesets
References: <2632E87C-F5D4-4F24-B392-BA0626049A22@demter.de>
In-Reply-To: <2632E87C-F5D4-4F24-B392-BA0626049A22@demter.de>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail/>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Nov 2013 01:02:29 -0000

On 11/16/2013 2:41 PM, Jan Demter wrote:
 > is it intentional that rc.d/jail does not load the default devfs 
rulesets on current and 10.0? It used to work like this on 9.x and 
earlier, now you have to explicitly load them (e.g. with 
devfs_load_rulesets in rc.conf).
 > If you do not do this, ruleset 4 (devfsrules_jail) will just be 
created and left empty on mount of the in-jail /dev, making the normal 
set of device nodes available. That is quite an easy escape path :)
 > This does not seem to be documented anywhere and is somewhat 
surprising, so I suspect it is an oversight? Apart from that I really 
like the work on jail.conf, thanks a lot!

Yes, that's an oversight.  The current rc.d/jail script needs work,
and this is part of the work it needs.  It might be as simple as
changing the rc script's dependencies.

- Jamie