From owner-freebsd-jail@freebsd.org Thu Jul 7 09:42:07 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7733AB74C5B for ; Thu, 7 Jul 2016 09:42:07 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from msa1.earth.yoonka.com (yoonka.com [185.24.122.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "msa1.earth.yoonka.com", Issuer "msa1.earth.yoonka.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 1E83D1236 for ; Thu, 7 Jul 2016 09:42:06 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from crayon2.yoonka.com (crayon2.yoonka.com [10.70.7.20]) (authenticated bits=0) by msa1.earth.yoonka.com (8.15.2/8.15.2) with ESMTPSA id u679g4Ff054596 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Thu, 7 Jul 2016 09:42:05 GMT (envelope-from list1@gjunka.com) Subject: Re: Effective rule sets in a jail? To: freebsd-jail@freebsd.org References: <2aeb6798-11ee-27c0-610a-d745aa322f97@gjunka.com> <577E0A78.1040600@quip.cz> <2c9d10fd-35ba-5470-026d-a1483e47fcf2@gjunka.com> <577E1AFB.90100@quip.cz> From: Grzegorz Junka Message-ID: <6ccead58-a38a-80a4-b5b8-a509c4271b8f@gjunka.com> Date: Thu, 7 Jul 2016 09:42:04 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <577E1AFB.90100@quip.cz> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2016 09:42:07 -0000 On 07/07/2016 09:03, Miroslav Lachman wrote: > Grzegorz Junka wrote on 07/07/2016 10:41: > > >> I was referring to this clause in the man document: >> >> Descendant jails inherit the parent jail's devfs ruleset enforcement. > > This is true for hierarchical "nested" jails = jail inside jail. > And inheriting doesn't mean merging. > You can't allow devices in descendant jail which are not allowed on > parent. > >> I thought that the outside rule is combined with the inside rule in the >> jail definition. But thanks for the hint about jls -s, it does shows the >> (single) active rule set (however without referring to the specific >> rules defined in devfs.rules or a combination of it). > > You are mixing nested jails context with jail.conf context where > "outside" definitions are the defaults for all jails which are not > overriding those values with own values. > > Miroslav Lachman OK, I am just an user, not very familiar with the terminology. For me (as a programmer) inheriting means overriding, so merging the more specific to the less specific declarations. Does it mean that the "inheriting" works in nested declarations but doesn't take into account the default value? In other words, the default is just default unless it re-defined in a jail declaration. If that's the case then wouldn't be more clear to name the "outside" default declaration as default, e.g. "default_devfs_ruleset"? Then it would be more difficult to confuse the default with the one that can be inherited. Grzegorz