Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 17 Dec 2017 15:45:45 -0500
From:      Dan Langille <dan@langille.org>
To:        "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
Cc:        freebsd-current@freebsd.org
Subject:   Re: cannot access pass device from within jail
Message-ID:  <A587A926-7DD7-4BB6-A02A-BD7542F7C2E3@langille.org>
In-Reply-To: <CA8846F6-23AA-448F-B35C-A7FE1D5A0C53@lists.zabbadoz.net>
References:  <E1314554-C8D0-4E8F-B8DB-E0B4D9DE325F@langille.org> <CA8846F6-23AA-448F-B35C-A7FE1D5A0C53@lists.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
> On Dec 17, 2017, at 3:37 PM, Bjoern A. Zeeb =
<bzeeb-lists@lists.zabbadoz.net> wrote:
>=20
> On 17 Dec 2017, at 19:52, Dan Langille wrote:
>=20
>> Hello,
>>=20
>> What suggestions do you have for where I should look next? I'm happy =
to start installing various builds of FreeBSD in order to track down =
which commit caused this.
>>=20
>> I'm trying to access a tape library from within a jail running on a =
FreeBSD 11.1 host.  sa(4) devices are working (e.g. I can rewind nsa0).
>>=20
>> pass(4) devices (i.e. the tape changer ch0) are not working.  This =
morning I posted to -scsi@: =
https://lists.freebsd.org/pipermail/freebsd-scsi/2017-December/007608.html=

>>=20
>> The device appears in the jail and has appropriate permissions.  This =
access was granted
>> via /etc/devfs.rules using the same approach I used for FreeBSD 10.3
>>=20
>> The permissions in the jail:
>>=20
>> [root@bacula-sd-02 ~]# ls -l /dev/pass7
>> crw-------  1 root  operator  0x74 Dec 16 21:52 /dev/pass7
>>=20
>> The command in the jail:
>>=20
>> [root@bacula-sd-02 ~]# mtx -f /dev/pass7 status
>> cannot open SCSI device '/dev/pass7' - Operation not permitted
>>=20
>> Here is the truss output of the command in question: =
https://gist.github.com/dlangille/b80ee804b8080e1cbf5b5ab67f0bdabe
>=20
>=20
> You don=E2=80=99t by any chance have a securelevel > 1 set for that =
jail?


On the host:=20

$ sysctl kern.securelevel
kern.securelevel: -1


On the jail:

$ sysctl kern.securelevel
kern.securelevel: -1

Thank you
--=20
Dan Langille - BSDCan / PGCon
dan@langille.org

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A587A926-7DD7-4BB6-A02A-BD7542F7C2E3>