Date: Sat, 16 Nov 2013 17:57:04 -0700 From: James Gritton <jamie@freebsd.org> To: freebsd-jail@freebsd.org Subject: Re: rc.d/jail not loading default devfs rulesets Message-ID: <52881460.8090507@freebsd.org> In-Reply-To: <2632E87C-F5D4-4F24-B392-BA0626049A22@demter.de> References: <2632E87C-F5D4-4F24-B392-BA0626049A22@demter.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/16/2013 2:41 PM, Jan Demter wrote: > While looking around in the docs, I also noticed that jail(8) has contradicting info on the default ruleset for jails: > devfs_ruleset: "A value of zero (default) means no ruleset is enforced." > mount.devfs: “[…] or a default of ruleset 4: devfsrules_jail […]” > The latter seems to be correct, though it will probably be an empty ruleset as described above. Those parameters control different things. devfs_ruleset is the ruleset that is used if devfs is mounted by a process within the jail (which, as noted, requires specific permission). mount.devfs is only for (the host system) mounting devfs before the jail is created; while it takes its ruleset from devfs_ruleset, it includes a further default of rule 4. I used the default of 4 for mount.devfs's behavior to copy what was already being done in the shell-script-based jail creation in the old rc.d/jail - the goal of much of the "pesudo-parameter" part of jail(8) was to do the same as that script had already done. It would have made sense for devfs_ruleset's original behavior to use ruleset four as well, but I hadn't considered anything user-level at the time. So yes, they have ended up with contradictory behavior, though each alone acts as documented. - Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52881460.8090507>