Date: Fri, 20 Nov 2015 00:07:48 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 152465] [jail] [patch] devfs is mounted in jails without rules if devfs.rules can't be parsed Message-ID: <bug-152465-9824-cnTUxo5i7Q@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-152465-9824@https.bugs.freebsd.org/bugzilla/> References: <bug-152465-9824@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=152465 --- Comment #5 from Andrey Zholos <aaz@q-fu.com> --- The same thing can still happen. Below is an updated scenario for 11.0-CURRENT. Perhaps it's not a likely scenario but it did happen to me once five years ago. I'd suggest not starting the jail if the configured devfs_ruleset doesn't exist, but someone might do that on purpose and configure the rules in exec.prestart. Another option is for the devfs.rules parser to attempt to load subsequent rulesets after an error, or just documenting that important rulesets go first. How-To-Repeat: Install cups, following pkg-message to set up devfs: # pkg install -y cups # cat >>/etc/devfs.rules [system=10] add path 'usb*' mode 0770 group cups add path 'ugen*' mode 0660 group cups ^D Create jail: # cat >>/etc/devfs.rules [sandbox=100] add hide ^D # cat >>/etc/jail.conf sandbox { path = /sandbox; ip4.addr = 10.1.1.1; mount.devfs; devfs_ruleset = 100; exec.start = "/dd if=/dev/ada0 of=ada0_copy count=1"; } ^D # cat >>/etc/rc.conf jail_enable=YES ^D # mkdir /sandbox /sandbox/dev # cp /rescue/dd /sandbox/ Reboot. Jailed command can't access /dev/ada0: # ls /sandbox dd dev Uninstall cups, following the suggestion to remove the user (which removes the cups group): # pkg delete -y cups-base ==> You should manually remove the "cups" user. # rmuser -y cups Reboot. There's a console warning: devfs rule: error converting to integer: cups /etc/rc: WARNING: devfs_init_rulesets: could not read rules from /etc/devfs.rules But the jailed command starts anyway and can now access /dev/ada0: # ls /sandbox ada0_copy dd dev -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-152465-9824-cnTUxo5i7Q>