From owner-freebsd-stable@FreeBSD.ORG Fri Mar 22 00:06:43 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 86A3B150; Fri, 22 Mar 2013 00:06:43 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id D81CB2B4; Fri, 22 Mar 2013 00:06:42 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id E1C3828428; Fri, 22 Mar 2013 00:59:53 +0100 (CET) Received: from [192.168.1.2] (unknown [89.177.49.222]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 5152E28422; Fri, 22 Mar 2013 00:59:51 +0100 (CET) Message-ID: <514B9EF6.3000607@quip.cz> Date: Fri, 22 Mar 2013 00:59:50 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Harald Schmalzbauer , Jamie Gritton , freebsd-jail@freebsd.org, freebsd-stable@freebsd.org Subject: Re: new jail(8) ignoring devfs_ruleset? References: <511E61F5.1000805@omnilan.de> <511EC759.4060704@FreeBSD.org> <5121EC52.5040502@omnilan.de> <20130219212430.GA92116@felucia.tataz.chchile.org> In-Reply-To: <20130219212430.GA92116@felucia.tataz.chchile.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Mar 2013 00:06:43 -0000 Jeremie Le Hen wrote: > On Mon, Feb 18, 2013 at 09:54:42AM +0100, Harald Schmalzbauer wrote: >> schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): >>> On 02/15/13 09:27, Harald Schmalzbauer wrote: >>>> Hello, >>>> >>>> like already posted, on 9.1-R, I highly appreciate the new jail(8) and >>>> jail.conf capabilities. Thanks for that extension! >>>> >>>> Accidentally I saw that "devfs_ruleset" seems to be ignored. >>>> If I list /dev/ I see all the hosts disk devices etc. >>>> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf. >>>> Inside the jail, >>>> sysctl security.jail.devfs_ruleset returnes "1". >>>> But like mentioned, I can access all devices... >>>> >>>> Thanks for any help, >>>> >>>> -Harry >>> >>> devfs_ruleset is only used along with mount.devfs - do you also have >>> that set in jail.conf? >> >> Thanks for your response. >> >> Yes, I have mount.devfs; set. >> Otherwise I wouldn't have any device inside my jail. Verified - and like >> intended, right? >> Another notable discrepancy: The man page tells that devfs_rulset is "4" >> by default. >> But when I don't set devfs_rulset in jail.conf at all, inside the jail, >> 'sysctl security.jail.devfs_ruleset': 0 >> When set, like mentioned above, it returns the corresponding value, but >> it doesn't have any effect. >> How gets devfs_rulset handled? Does jail(8) do the whole job? I'd like >> to help finding the source, but have missed the whole new jail evolution... >> Inside my jails, I don't have a fstab, outside I have them defined and >> enabled with "mount" - and noticed the non-reverted umounting. > > Look at what's in /dev from you jail. There should a few pseudo > devices (see below), but no real devices: > > $ ls /dev > crypto log ptmx random stdin urandom zfs > fd null pts stderr stdout zero I can confirm mentioned problem on my FreeBSD 9.1-RELEASE amd64 GENERIC I am now testing new jail.conf possibilities and I am seeing all devices in /dev in jail. Even if I set all this in my jail.conf exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.clean; mount.devfs; devfs_ruleset = 4; allow.set_hostname = false; path = "/vol0/jail/$name"; exec.consolelog = "/var/log/jail/$name.console"; mount.fstab = "/etc/fstab.$name"; ## Jail bali bali { host.hostname = "bali.XXXXXXX.YY; ip4.addr = xx.xx.xx.xx; devfs_ruleset = 4; } # jexec 4 tcsh root@bali:/ # ls -l /dev/ total 4 crw-r--r-- 1 root wheel 0, 35 Mar 1 19:39 acpi lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad10 -> ada3 lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad10s1 -> ada3s1 lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1a -> ada3s1a lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1b -> ada3s1b lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1d -> ada3s1d lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1e -> ada3s1e lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1f -> ada3s1f lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1g -> ada3s1g lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad10s2 -> ada3s2 lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2a -> ada3s2a lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2b -> ada3s2b lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2d -> ada3s2d lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2e -> ada3s2e lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad4 -> ada0 lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad6 -> ada1 lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad8 -> ada2 lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad8s1 -> ada2s1 lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1a -> ada2s1a lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1b -> ada2s1b lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1d -> ada2s1d lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1e -> ada2s1e lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1f -> ada2s1f lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1g -> ada2s1g lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad8s2 -> ada2s2 lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2a -> ada2s2a lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2b -> ada2s2b lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2d -> ada2s2d lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2e -> ada2s2e crw-r----- 1 root operator 0, 106 Mar 1 19:39 ada0 crw-r----- 1 root operator 0, 108 Mar 1 19:39 ada1 crw-r----- 1 root operator 0, 114 Mar 1 19:39 ada2 crw-r----- 1 root operator 0, 120 Mar 1 19:39 ada2s1 crw-r----- 1 root operator 0, 130 Mar 1 19:39 ada2s1a crw-r----- 1 root operator 0, 132 Mar 1 19:39 ada2s1b crw-r----- 1 root operator 0, 134 Mar 1 19:39 ada2s1d crw-r----- 1 root operator 0, 136 Mar 1 19:39 ada2s1e crw-r----- 1 root operator 0, 138 Mar 1 19:39 ada2s1f crw-r----- 1 root operator 0, 140 Mar 1 19:39 ada2s1g crw-r----- 1 root operator 0, 122 Mar 1 19:39 ada2s2 crw-r----- 1 root operator 0, 142 Mar 1 19:39 ada2s2a crw-r----- 1 root operator 0, 144 Mar 1 19:39 ada2s2b crw-r----- 1 root operator 0, 146 Mar 1 19:39 ada2s2d crw-r----- 1 root operator 0, 148 Mar 1 19:39 ada2s2e crw-r----- 1 root operator 0, 116 Mar 1 19:39 ada3 crw-r----- 1 root operator 0, 124 Mar 1 19:39 ada3s1 crw-r----- 1 root operator 0, 150 Mar 1 19:39 ada3s1a crw-r----- 1 root operator 0, 154 Mar 1 19:39 ada3s1b crw-r----- 1 root operator 0, 156 Mar 1 19:39 ada3s1d crw-r----- 1 root operator 0, 161 Mar 1 19:39 ada3s1e crw-r----- 1 root operator 0, 165 Mar 1 19:39 ada3s1f crw-r----- 1 root operator 0, 167 Mar 1 19:39 ada3s1g crw-r----- 1 root operator 0, 126 Mar 1 19:39 ada3s2 crw-r----- 1 root operator 0, 170 Mar 1 19:39 ada3s2a crw-r----- 1 root operator 0, 173 Mar 1 19:39 ada3s2b crw-r----- 1 root operator 0, 175 Mar 1 19:39 ada3s2d crw-r----- 1 root operator 0, 177 Mar 1 19:39 ada3s2e crw------- 1 root kmem 0, 19 Mar 1 19:39 audit crw------- 1 root wheel 0, 11 Mar 1 19:39 bpf lrwxr-xr-x 1 root wheel 3 Mar 22 00:46 bpf0 -> bpf dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 cam crw-r----- 1 root operator 0, 118 Mar 1 19:39 cd0 crw-r----- 1 root operator 0, 208 Mar 1 19:39 cd1 crw------- 1 root wheel 0, 5 Mar 22 00:43 console crw------- 1 root wheel 0, 60 Mar 1 19:39 consolectl crw-rw-rw- 1 root wheel 0, 10 Mar 1 19:39 ctty crw-rw---- 1 uucp dialer 0, 41 Mar 1 19:39 cuau0 crw-rw---- 1 uucp dialer 0, 42 Mar 1 19:39 cuau0.init crw-rw---- 1 uucp dialer 0, 43 Mar 1 19:39 cuau0.lock crw-rw---- 1 uucp dialer 0, 64 Mar 1 19:39 cuau1 crw-rw---- 1 uucp dialer 0, 65 Mar 1 19:39 cuau1.init crw-rw---- 1 uucp dialer 0, 66 Mar 1 19:39 cuau1.lock crw-r----- 1 root operator 0, 209 Mar 1 19:39 da0 crw-r----- 1 root operator 0, 210 Mar 1 19:39 da1 crw------- 1 root wheel 0, 20 Mar 1 19:39 dcons crw------- 1 root wheel 0, 4 Mar 1 19:39 devctl cr-------- 1 root wheel 0, 100 Mar 1 19:39 devstat crw------- 1 root wheel 0, 21 Mar 1 19:39 dgdb dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 fd crw------- 1 root wheel 0, 15 Mar 1 19:39 fido crw-r----- 1 root operator 0, 3 Mar 1 19:39 geom.ctl crw------- 1 root wheel 0, 28 Mar 1 19:39 io lrwxr-xr-x 1 root wheel 5 Mar 22 00:46 kbd0 -> ukbd0 lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 kbd1 -> kbdmux0 crw------- 1 root wheel 0, 13 Mar 1 19:39 kbdmux0 crw------- 1 root wheel 0, 9 Mar 1 19:39 klog crw-r----- 1 root kmem 0, 17 Mar 1 19:39 kmem dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 led crw------- 1 root wheel 0, 72 Mar 1 19:39 mdctl crw-r----- 1 root kmem 0, 16 Mar 1 19:39 mem crw-rw-rw- 1 root wheel 0, 7 Mar 1 19:39 midistat dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 mirror crw------- 1 root kmem 0, 18 Mar 1 19:39 nfslock crw-rw-rw- 1 root wheel 0, 22 Mar 22 00:55 null crw------- 1 root operator 0, 101 Mar 1 19:39 pass0 crw------- 1 root operator 0, 102 Mar 1 19:39 pass1 crw------- 1 root operator 0, 103 Mar 1 19:39 pass2 crw------- 1 root operator 0, 104 Mar 1 19:39 pass3 crw------- 1 root operator 0, 105 Mar 1 19:39 pass4 crw------- 1 root operator 0, 185 Mar 1 19:39 pass5 crw------- 1 root operator 0, 206 Mar 1 19:39 pass6 crw------- 1 root operator 0, 207 Mar 1 19:39 pass7 crw-r--r-- 1 root wheel 0, 24 Mar 1 19:39 pci crw------- 1 root wheel 0, 194 Mar 1 19:40 pf crw-rw-rw- 1 root wheel 0, 25 Mar 1 19:39 ptmx dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 pts crw-rw-rw- 1 root wheel 0, 26 Mar 1 20:40 random cr--r--r-- 1 root wheel 0, 6 Mar 1 19:39 sndstat lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 stderr -> fd/2 lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 stdin -> fd/0 lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 stdout -> fd/1 crw------- 1 root wheel 0, 8 Mar 1 19:39 sysmouse crw------- 1 root wheel 0, 38 Mar 1 19:39 ttyu0 crw------- 1 root wheel 0, 39 Mar 1 19:39 ttyu0.init crw------- 1 root wheel 0, 40 Mar 1 19:39 ttyu0.lock crw------- 1 root wheel 0, 61 Mar 1 19:39 ttyu1 crw------- 1 root wheel 0, 62 Mar 1 19:39 ttyu1.init crw------- 1 root wheel 0, 63 Mar 1 19:39 ttyu1.lock crw------- 1 root wheel 0, 44 Mar 1 19:40 ttyv0 crw------- 1 root wheel 0, 45 Mar 1 19:40 ttyv1 crw------- 1 root wheel 0, 46 Mar 1 19:40 ttyv2 crw------- 1 root wheel 0, 47 Mar 1 19:40 ttyv3 crw------- 1 root wheel 0, 48 Mar 1 19:40 ttyv4 crw------- 1 root wheel 0, 49 Mar 1 19:40 ttyv5 crw------- 1 root wheel 0, 50 Mar 1 19:40 ttyv6 crw------- 1 root wheel 0, 51 Mar 1 19:40 ttyv7 crw------- 1 root wheel 0, 52 Mar 1 19:39 ttyv8 crw------- 1 root wheel 0, 53 Mar 1 19:39 ttyv9 crw------- 1 root wheel 0, 54 Mar 1 19:39 ttyva crw------- 1 root wheel 0, 55 Mar 1 19:39 ttyvb crw------- 1 root wheel 0, 56 Mar 1 19:39 ttyvc crw------- 1 root wheel 0, 57 Mar 1 19:39 ttyvd crw------- 1 root wheel 0, 58 Mar 1 19:39 ttyve crw------- 1 root wheel 0, 59 Mar 1 19:39 ttyvf dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 ufs dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 ufsid lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen0.1 -> usb/0.1.0 lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen1.1 -> usb/1.1.0 lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen1.2 -> usb/1.2.0 lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen2.1 -> usb/2.1.0 lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen3.1 -> usb/3.1.0 lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen3.2 -> usb/3.2.0 lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen4.1 -> usb/4.1.0 lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen5.1 -> usb/5.1.0 lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen6.1 -> usb/6.1.0 lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen7.1 -> usb/7.1.0 lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen7.2 -> usb/7.2.0 crw------- 1 root wheel 0, 163 Mar 1 19:39 ukbd0 crw-r--r-- 1 root operator 0, 169 Mar 1 19:39 ums0 crw-r--r-- 1 root operator 0, 172 Mar 1 19:39 ums1 lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 urandom -> random dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 usb crw-r--r-- 1 root operator 0, 70 Mar 1 19:39 usbctl crw------- 1 root wheel 0, 69 Mar 1 19:39 vboxdrv crw------- 1 root wheel 0, 196 Mar 1 19:40 vboxnetctl crw------- 1 root operator 0, 71 Mar 1 19:39 xpt0 crw-rw-rw- 1 root wheel 0, 23 Mar 1 19:39 zero Is it a problem in my understanding of manpage / configuration, or is it a bug in jail command on 9.1-RELEASE? Miroslav Lachman