From owner-freebsd-jail@freebsd.org  Thu Jul  7 09:04:01 2016
Return-Path: <owner-freebsd-jail@freebsd.org>
Delivered-To: freebsd-jail@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8CA9CB74164
 for <freebsd-jail@mailman.ysv.freebsd.org>;
 Thu,  7 Jul 2016 09:04:01 +0000 (UTC)
 (envelope-from 000.fbsd@quip.cz)
Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 50FD81CF2
 for <freebsd-jail@freebsd.org>; Thu,  7 Jul 2016 09:04:00 +0000 (UTC)
 (envelope-from 000.fbsd@quip.cz)
Received: from elsa.codelab.cz (localhost [127.0.0.1])
 by elsa.codelab.cz (Postfix) with ESMTP id E4936284AE;
 Thu,  7 Jul 2016 11:03:56 +0200 (CEST)
Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz
 [86.49.16.209])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by elsa.codelab.cz (Postfix) with ESMTPSA id C875D2848E;
 Thu,  7 Jul 2016 11:03:55 +0200 (CEST)
Message-ID: <577E1AFB.90100@quip.cz>
Date: Thu, 07 Jul 2016 11:03:55 +0200
From: Miroslav Lachman <000.fbsd@quip.cz>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32
MIME-Version: 1.0
To: Grzegorz Junka <list1@gjunka.com>, freebsd-jail@freebsd.org
Subject: Re: Effective rule sets in a jail?
References: <2aeb6798-11ee-27c0-610a-d745aa322f97@gjunka.com>
 <CANJ8om5R-BT=heC+giMTXFH8YQXhuPQZjQ_S-P1bQ1XBGS16uQ@mail.gmail.com>
 <577E0A78.1040600@quip.cz> <2c9d10fd-35ba-5470-026d-a1483e47fcf2@gjunka.com>
In-Reply-To: <2c9d10fd-35ba-5470-026d-a1483e47fcf2@gjunka.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail/>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jul 2016 09:04:01 -0000

Grzegorz Junka wrote on 07/07/2016 10:41:


> I was referring to this clause in the man document:
>
> Descendant jails inherit the parent jail's devfs ruleset enforcement.

This is true for hierarchical "nested" jails = jail inside jail.
And inheriting doesn't mean merging.
You can't allow devices in descendant jail which are not allowed on parent.

> I thought that the outside rule is combined with the inside rule in the
> jail definition. But thanks for the hint about jls -s, it does shows the
> (single) active rule set (however without referring to the specific
> rules defined in devfs.rules or a combination of it).

You are mixing nested jails context with jail.conf context where 
"outside" definitions are the defaults for all jails which are not 
overriding those values with own values.

Miroslav Lachman