From owner-freebsd-stable@FreeBSD.ORG  Fri Feb 15 23:40:22 2013
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@FreeBSD.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 20E1A211;
 Fri, 15 Feb 2013 23:40:22 +0000 (UTC)
 (envelope-from jamie@FreeBSD.org)
Received: from m2.gritton.org (gritton.org [199.192.164.235])
 by mx1.freebsd.org (Postfix) with ESMTP id EB610DEC;
 Fri, 15 Feb 2013 23:40:21 +0000 (UTC)
Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net
 [198.65.168.24]) (authenticated bits=0)
 by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r1FNeEpo043095;
 Fri, 15 Feb 2013 16:40:15 -0700 (MST)
 (envelope-from jamie@FreeBSD.org)
Message-ID: <511EC759.4060704@FreeBSD.org>
Date: Fri, 15 Feb 2013 16:40:09 -0700
From: Jamie Gritton <jamie@FreeBSD.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:9.0) Gecko/20120126 Thunderbird/9.0
MIME-Version: 1.0
To: Harald Schmalzbauer <h.schmalzbauer@omnilan.de>
Subject: Re: new jail(8) ignoring devfs_ruleset?
References: <511E61F5.1000805@omnilan.de>
In-Reply-To: <511E61F5.1000805@omnilan.de>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-jail@FreeBSD.org, freebsd-stable@FreeBSD.org
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Feb 2013 23:40:22 -0000

On 02/15/13 09:27, Harald Schmalzbauer wrote:
>   Hello,
>
> like already posted, on 9.1-R, I highly appreciate the new jail(8) and
> jail.conf capabilities. Thanks for that extension!
>
> Accidentally I saw that "devfs_ruleset" seems to be ignored.
> If I list /dev/ I see all the hosts disk devices etc.
> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf.
>    Inside the jail,
> sysctl security.jail.devfs_ruleset returnes "1".
> But like mentioned, I can access all devices...
>
> Thanks for any help,
>
> -Harry

devfs_ruleset is only used along with mount.devfs - do you also have
that set in jail.conf?

- Jamie