From owner-freebsd-jail@FreeBSD.ORG Mon Feb 18 16:30:01 2013 Return-Path: Delivered-To: jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 1E68FE27; Mon, 18 Feb 2013 16:30:01 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: from mail-we0-x230.google.com (we-in-x0230.1e100.net [IPv6:2a00:1450:400c:c03::230]) by mx1.freebsd.org (Postfix) with ESMTP id 67032871; Mon, 18 Feb 2013 16:30:00 +0000 (UTC) Received: by mail-we0-f176.google.com with SMTP id s43so4980245wey.35 for ; Mon, 18 Feb 2013 08:29:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:date:from:to:cc:subject:message-id:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; bh=jSe9mEm+igplzlTthhn+iGCAE+K3hlHvG5jn32UfT9U=; b=aw8e7MJe3MmDCkBGu6V1TxYBR3HKgygsHMw62ZSmwJkuTpiDJ04/G1yTUjV8uCYwuk 0DAgaQ90b23+VqcWXK0CK4I7TCaHcrgx1aZV0A2tptxsCdXT22j3Z3z7i93k/SX+Zhj5 CLxGcfoG58iK1UNcgADJrevLviPk4CpBCNW+5EnqBvvGlWbUsw9GBzbjaENtccmKjM18 Xy2dG5gID0xNlCKY+GnGLW7ZXDOU3w+Fu0ICYdTx0im7KtScbRHQxYjsOWmdECMu0DrG KIE2MM2l9hMTk7VVN93CJ76X/incluM/emzlvxi59EdDT3XNLuOwAEFvdZ9P0AeeB3oH bfyQ== X-Received: by 10.180.79.6 with SMTP id f6mr21347839wix.26.1361204998446; Mon, 18 Feb 2013 08:29:58 -0800 (PST) Received: from dft-labs.eu (n1x0n-1-pt.tunnel.tserv5.lon1.ipv6.he.net. [2001:470:1f08:1f7::2]) by mx.google.com with ESMTPS id fg6sm22655129wib.10.2013.02.18.08.29.56 (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 18 Feb 2013 08:29:57 -0800 (PST) Date: Mon, 18 Feb 2013 17:29:56 +0100 From: Mateusz Guzik To: Jamie Gritton Subject: Re: new jail(8) ignoring devfs_ruleset? Message-ID: <20130218162956.GA1834@dft-labs.eu> References: <511E61F5.1000805@omnilan.de> <511EC759.4060704@FreeBSD.org> <5121EC52.5040502@omnilan.de> <51225642.2010501@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <51225642.2010501@FreeBSD.org> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: Harald Schmalzbauer , freebsd-stable , freebsd-jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2013 16:30:01 -0000 On Mon, Feb 18, 2013 at 09:26:42AM -0700, Jamie Gritton wrote: > On 02/18/13 01:54, Harald Schmalzbauer wrote: > > schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): > >>On 02/15/13 09:27, Harald Schmalzbauer wrote: > >>> Hello, > >>> > >>>like already posted, on 9.1-R, I highly appreciate the new jail(8) and > >>>jail.conf capabilities. Thanks for that extension! > >>> > >>>Accidentally I saw that "devfs_ruleset" seems to be ignored. > >>>If I list /dev/ I see all the hosts disk devices etc. > >>>I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf. > >>> Inside the jail, > >>>sysctl security.jail.devfs_ruleset returnes "1". > >>>But like mentioned, I can access all devices... > >>> > >>>Thanks for any help, > >>> > >>>-Harry > >> > >>devfs_ruleset is only used along with mount.devfs - do you also have > >>that set in jail.conf? > > > >Thanks for your response. > > > >Yes, I have mount.devfs; set. > >Otherwise I wouldn't have any device inside my jail. Verified - and like > >intended, right? > >Another notable discrepancy: The man page tells that devfs_rulset is "4" > >by default. > >But when I don't set devfs_rulset in jail.conf at all, inside the jail, > >'sysctl security.jail.devfs_ruleset': 0 > >When set, like mentioned above, it returns the corresponding value, but > >it doesn't have any effect. > >How gets devfs_rulset handled? Does jail(8) do the whole job? I'd like > >to help finding the source, but have missed the whole new jail evolution... > >Inside my jails, I don't have a fstab, outside I have them defined and > >enabled with "mount" - and noticed the non-reverted umounting. > > I found the problem - I noticed you mentioned 9.1-R, and took a look at > devfs(5). On CURRENT, there's a mount option "ruleset", that isn't there > on 9. > > So I'll have to get around it by running devfs(8) after the mount. I'll > work on a patch for that. > Why not MFC support for that mount option instead? -- Mateusz Guzik