Date: Mon, 11 Mar 2019 19:05:23 +0900 From: =?UTF-8?B?SGlyb28gT25vICjlsI/ph47lr5vnlJ8p?= <hiroo.ono+freebsd@gmail.com> To: freebsd-users-jp <freebsd-users-jp@freebsd.org> Subject: [FreeBSD-users-jp 96386] =?utf-8?b?amFpbCDjgasgZGV2ZnNfcnVsZXNldCDjgYzlj43mmKDjgZXjgow=?= =?utf-8?b?44Gq44GE?= Message-ID: <CANtk6SiW2%2B_MNofpjLFoB3K_N1nPmRvKy3HWjeYSxXd5=aFPiQ@mail.gmail.com>
index | next in thread | raw e-mail
小野寛生です。
stable/12 r344791 で vnet jail を動かしているのですが、jail.conf で指定したルールセットが反映されておらず、
デフォルト(0) の状態になって、jail 内でも /dev 以下がすべて見えてしまっています。
また、host で
jail -n gate -m devfs_ruleset=12
とやっても jail の security.jail.devfs_ruleset の値が変化しません。
何か設定ミスがあるのだと思いますが、devfs_ruleset を反映するにはどうすればよいか教えてください。
jail.conf と devfs.rules は下記のようになっています。
==================== jail.conf =====================
devfs_ruleset = 12;
# enforce_statfs = 1;
allow.mount;
allow.mount.devfs;
allow.sysvipc;
vnet;
host.hostname = "${name}.oikumene.ukehi.net";
path = "/usr/jails/${name}";
exec.clean;
exec.consolelog = "/var/log/jail_${name}_console.log";
exec.system_user = "root";
exec.jail_user = "root";
mount.fstab = "/etc/fstab.${name}";
mount.devfs;
mount.fdescfs;
mount.procfs;
$ifconfig = "/sbin/ifconfig";
#$rotate = "";
exec.prestart += "${ifconfig} epair${ifa}a up";
exec.poststart += "${ifconfig} epair${ifa}b vnet ${name}";
exec.poststart += "jexec ${name} ${ifconfig} epair${ifa}b inet ${ip4addra}/24 up
";
exec.prestop += "jexec ${name} /bin/sh /etc/rc.shutdown";
exec.prestop += "${ifconfig} epair${ifa}b -vnet ${name}";
# exec.poststop += "${rotate} /var/log/jail_${name}_console.log";
gate {
devfs_ruleset=11;
allow.raw_sockets;
securelevel = 2;
vnet.interface = "ue0";
$ifa = 0;
$ip4addra = 192.168.8.1;
$ifb = 3b;
$ip4addrb = 192.168.9.1;
vnet.interface += epair${ifb};
#exec.poststart += "${ifconfig} epair${ifb} vnet ${name}";
exec.poststart += "jexec ${name} ${ifconfig} epair${ifb}
${ip4addrb}/24 up fib 1";
exec.prestop += "${ifconfig} epair${ifb} -vnet ${name}";
exec.prestop += "${ifconfig} ue0 -vnet ${name}";
}
inner {
depend = "dc";
$ifa = 1;
$ip4addra = 192.168.8.2;
$ifb = 4b;
$ip4addrb = 192.168.9.2;
vnet.interface += epair${ifb};
#exec.poststart += "${ifconfig} epair${ifb} vnet ${name}";
exec.poststart += "jexec ${name} ${ifconfig} epair${ifb}
${ip4addrb}/24 up fib 1";
exec.prestop += "${ifconfig} epair${ifb} -vnet ${name}";
}
dc {
$ifa = 2;
$ip4addra = 192.168.8.3;
}
exec.poststart += "jexec ${name} /bin/sh /etc/rc";
===============================================
=================== devfs.rules ====================
[devfsrules_unhide_log=10]
add path log unhide
[devfsrules_jail_bpf=11]
add include $devfsrules_jail
add include $devfsrules_unhide_log
add path 'bpf*' unhide
[devfsrules_jail_log=12]
add include $devfsrules_jail
add include $devfsrules_unhide_log
===============================================
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANtk6SiW2%2B_MNofpjLFoB3K_N1nPmRvKy3HWjeYSxXd5=aFPiQ>