Date: Mon, 18 Feb 2013 09:26:42 -0700 From: Jamie Gritton <jamie@FreeBSD.org> To: Harald Schmalzbauer <h.schmalzbauer@omnilan.de> Cc: freebsd-jail <jail@FreeBSD.org>, freebsd-stable <freebsd-stable@FreeBSD.org> Subject: Re: new jail(8) ignoring devfs_ruleset? Message-ID: <51225642.2010501@FreeBSD.org> In-Reply-To: <5121EC52.5040502@omnilan.de> References: <511E61F5.1000805@omnilan.de> <511EC759.4060704@FreeBSD.org> <5121EC52.5040502@omnilan.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 02/18/13 01:54, Harald Schmalzbauer wrote: > schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): >> On 02/15/13 09:27, Harald Schmalzbauer wrote: >>> Hello, >>> >>> like already posted, on 9.1-R, I highly appreciate the new jail(8) and >>> jail.conf capabilities. Thanks for that extension! >>> >>> Accidentally I saw that "devfs_ruleset" seems to be ignored. >>> If I list /dev/ I see all the hosts disk devices etc. >>> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf. >>> Inside the jail, >>> sysctl security.jail.devfs_ruleset returnes "1". >>> But like mentioned, I can access all devices... >>> >>> Thanks for any help, >>> >>> -Harry >> >> devfs_ruleset is only used along with mount.devfs - do you also have >> that set in jail.conf? > > Thanks for your response. > > Yes, I have mount.devfs; set. > Otherwise I wouldn't have any device inside my jail. Verified - and like > intended, right? > Another notable discrepancy: The man page tells that devfs_rulset is "4" > by default. > But when I don't set devfs_rulset in jail.conf at all, inside the jail, > 'sysctl security.jail.devfs_ruleset': 0 > When set, like mentioned above, it returns the corresponding value, but > it doesn't have any effect. > How gets devfs_rulset handled? Does jail(8) do the whole job? I'd like > to help finding the source, but have missed the whole new jail evolution... > Inside my jails, I don't have a fstab, outside I have them defined and > enabled with "mount" - and noticed the non-reverted umounting. I found the problem - I noticed you mentioned 9.1-R, and took a look at devfs(5). On CURRENT, there's a mount option "ruleset", that isn't there on 9. So I'll have to get around it by running devfs(8) after the mount. I'll work on a patch for that. - Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51225642.2010501>