From owner-freebsd-jail@freebsd.org Fri Nov 20 00:07:49 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2FB9DA3338A for ; Fri, 20 Nov 2015 00:07:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 01E991A65 for ; Fri, 20 Nov 2015 00:07:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id tAK07mHn086382 for ; Fri, 20 Nov 2015 00:07:48 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 152465] [jail] [patch] devfs is mounted in jails without rules if devfs.rules can't be parsed Date: Fri, 20 Nov 2015 00:07:48 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 9.0-CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: aaz@q-fu.com X-Bugzilla-Status: In Progress X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Nov 2015 00:07:49 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=152465 --- Comment #5 from Andrey Zholos --- The same thing can still happen. Below is an updated scenario for 11.0-CURRENT. Perhaps it's not a likely scenario but it did happen to me once five years ago. I'd suggest not starting the jail if the configured devfs_ruleset doesn't exist, but someone might do that on purpose and configure the rules in exec.prestart. Another option is for the devfs.rules parser to attempt to load subsequent rulesets after an error, or just documenting that important rulesets go first. How-To-Repeat: Install cups, following pkg-message to set up devfs: # pkg install -y cups # cat >>/etc/devfs.rules [system=10] add path 'usb*' mode 0770 group cups add path 'ugen*' mode 0660 group cups ^D Create jail: # cat >>/etc/devfs.rules [sandbox=100] add hide ^D # cat >>/etc/jail.conf sandbox { path = /sandbox; ip4.addr = 10.1.1.1; mount.devfs; devfs_ruleset = 100; exec.start = "/dd if=/dev/ada0 of=ada0_copy count=1"; } ^D # cat >>/etc/rc.conf jail_enable=YES ^D # mkdir /sandbox /sandbox/dev # cp /rescue/dd /sandbox/ Reboot. Jailed command can't access /dev/ada0: # ls /sandbox dd dev Uninstall cups, following the suggestion to remove the user (which removes the cups group): # pkg delete -y cups-base ==> You should manually remove the "cups" user. # rmuser -y cups Reboot. There's a console warning: devfs rule: error converting to integer: cups /etc/rc: WARNING: devfs_init_rulesets: could not read rules from /etc/devfs.rules But the jailed command starts anyway and can now access /dev/ada0: # ls /sandbox ada0_copy dd dev -- You are receiving this mail because: You are the assignee for the bug.