From owner-freebsd-usb@FreeBSD.ORG Thu May 9 09:13:47 2013 Return-Path: Delivered-To: usb@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id C56BC7A3; Thu, 9 May 2013 09:13:47 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mail.ebusiness-leidinger.de (mail.ebusiness-leidinger.de [217.11.53.44]) by mx1.freebsd.org (Postfix) with ESMTP id 531F7AB0; Thu, 9 May 2013 09:13:47 +0000 (UTC) Received: from outgoing.leidinger.net (p5DD444C0.dip0.t-ipconnect.de [93.212.68.192]) by mail.ebusiness-leidinger.de (Postfix) with ESMTPSA id 9847E8443D4; Thu, 9 May 2013 11:07:20 +0200 (CEST) Received: from unknown (Titan.Leidinger.net [192.168.1.17]) by outgoing.leidinger.net (Postfix) with ESMTP id A05051067; Thu, 9 May 2013 11:07:17 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=leidinger.net; s=outgoing-alex; t=1368090437; bh=wQhteXj85vdr5gzgge1Uzeuk1dcApeFXJHvUztsYsBI=; h=Date:From:To:Cc:Subject; b=CRqxLof4pfyt0zR9BDaHP4lx64blWbvS9v2sDiTpMYNtmd2fW0w27+zAKbDsKrtXk KnMIaR85vfxNbsjfGfaSHDK4NWoOPQ3/aUW+n0EFYUjUeRg5X9/QNh6qvN5Bq4NHqO oeUgWiwN2GFUfM0s8gMUn7swg+fsbUs2GfohMmblJjx3DlLiiF7UODtxKAaNKOLu89 XAX2yHsuvC5Ze3J/OLuKamE6da5g3L9shXSdTJd711JF8vE68d13EMlHvNKNdFE/NS 5+MjShp/Ms7veqfCEvTRA+cOPIpbdrdOu9famOd1zhSXc/ufF3/jjcGgD+f1SwjRPR rlIxlMxliEg5g== Date: Thu, 9 May 2013 11:07:18 +0200 From: Alexander Leidinger To: hackers@FreeBSD.org Subject: priv_check/make_dev/devfs.rules: What is preventing a device to show up in a jail? Message-ID: <20130509110718.0000528e@unknown> X-Mailer: Claws Mail 3.9.0git149+gcbfce9 (GTK+ 2.16.6; i586-pc-mingw32msvc) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-EBL-MailScanner-Information: Please contact the ISP for more information X-EBL-MailScanner-ID: 9847E8443D4.A0093 X-EBL-MailScanner: Found to be clean X-EBL-MailScanner-SpamCheck: not spam, spamhaus-ZEN, SpamAssassin (not cached, score=-0.629, required 6, autolearn=disabled, ALL_TRUSTED -1.00, AWL -0.80, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, J_CHICKENPOX_53 0.60, J_CHICKENPOX_55 0.60, TW_DV 0.08, T_RP_MATCHES_RCVD -0.01, URIBL_BLOCKED 0.00) X-EBL-MailScanner-From: alexander@leidinger.net X-EBL-MailScanner-Watermark: 1368695241.51@WPlXH++tsbwpjx6CDhXvfg X-EBL-Spam-Status: No Cc: usb@FreeBSD.org X-BeenThere: freebsd-usb@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: FreeBSD support for USB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 May 2013 09:13:47 -0000 Hi, big picture: I want to get access to my USB DVB device in a jail. First I explain what works (to show what I already know in this regard), then I explain what doesn't work (where I seem to lack some knowledge). What I did so far: I already patched my kernel to give access to /dev/io and /dev/dri in a jail to have X1 up and running in a jail (works since some years): - changed PRIV_DRIVER to PRIV_DRI_DRIVER (new in my kernel) for the priv_check() for /dev/dri - added cases PRIV_IO and PRIV_DRI_DRIVER to sys/kern/kern_jail.c which allow access if a specific allow.xxx flag is set for the jail - added the following lines to devfs.rules in a x11-jail specific section (plus some more devices): ---snip--- add path agpgart unhide add path dri unhide add path 'dri*' unhide add path nvidiactl unhide add path 'nvidia*' unhide add path io unhide add path mem unhide ---snip--- Patches at http://www.Leidinger.net/FreeBSD/current-patches/0_jail.diff Result so far: - I see the io/mem/nvidia* devices (when I had a Radeon card which used /dev/dri, I was also seeing the devices in the /dev/dri/ directory) - I have X11 running in a jail (some config stuff skipped in the above list). My problem: I try now to get the device nodes which are created by multimedia/cuse4bsd-kmod + mltimedia/webcamd visible in a jail, but they only show up in the jail-host, not in the jail itself. I patched the priv_check()s in cuse4bsd-kmod to use PRIV_DRI_DRIVER (because it is already available in my kernel and allowed in the jail where I test this; I expect this is necessary in case I want to run webcamd in the jail instead on the host system) and have the following entries in devfs.rules: ---snip--- [devfsrules_unhide_cuse=13] add path cuse unhide add path video unhide add path 'video*' unhide add path dvb unhide add path 'dvb*' unhide add path input unhide add path 'input*' unhide ---snip--- I also tried with: ---snip--- add path 'dvb/*' unhide add path 'dvb/adapter0/*' unhide ---snip--- (I was as desperate to even reboot the entire host system after changing the rules to make sure I didn't forget to run something which should be run before.) When starting webcamd in the host system (to rule out some other interactions if I would start it in the jail), i can see in the jail: ---snip--- /dev/cuse /dev/dvb/ /dev/input/ /dev/input/event0 ---snip--- In the host system I have additionally: ---snip--- /dev/dvb/adapter0/ca0 /dev/dvb/adapter0/demux0 /dev/dvb/adapter0/dvr0 /dev/dvb/adapter0/frontend0 ---snip--- I would expect to see at least the /dev/dvb/adapter0, if not all of them in the jail itself. Is there something to the devfs.rules syntax or priv_check() or make_dev()/make_dev_cred() I don't know/understand which is involved when subdirectories of subdirectories in /dev are involved? How can I debug this (where to look, what to look for, ...)? Bye, Alexander. -- http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137