From owner-freebsd-fs@freebsd.org Fri Sep 18 05:54:44 2015 Return-Path: Delivered-To: freebsd-fs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DF2429CF349 for ; Fri, 18 Sep 2015 05:54:44 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A0218191B for ; Fri, 18 Sep 2015 05:54:44 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-224-161.lns20.per1.internode.on.net [121.45.224.161]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id t8I5sZW2081022 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 17 Sep 2015 22:54:38 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: Neutered devices in jails (per FS flag?) To: Kevin Day , Jan Bramkamp References: <55F99F5A.302@rlwinm.de> <7D445BFC-AB18-4EAD-8065-F0A934B1A479@dragondata.com> Cc: freebsd-fs@freebsd.org From: Julian Elischer Message-ID: <55FBA715.707@freebsd.org> Date: Fri, 18 Sep 2015 13:54:29 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <7D445BFC-AB18-4EAD-8065-F0A934B1A479@dragondata.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2015 05:54:45 -0000 On 9/17/15 12:58 AM, Kevin Day wrote: >> On 16/09/15 18:30, Kevin Day wrote: >>> We’re currently using jails to allow servers to copy backups of themselves to a central backup server. The problem we’re having is with mknod/devices. Currently jails don’t allow device files to be created, which makes sense - you don’t want them to be able to bypass the jail by opening /dev/kmem or something. We want jails to be able to create device files, just not be able to open/use them. >>> >>> Has anyone given any thought to changing this behavior? Allowing jails to create/manipulate device files, but not actually opening them? I.e. instead of returning EPERM on creating the device, instead return EPERM on opening it? This would likely need to be a filesystem flag, because jails still require some devices to work (a separate devfs mount or something). We could make the jail’s /dev read only or use devfs so those devices still work, but have the parent jail directory with a “noopendev” flag or something similar. >>> >>> Has anyone gone down this path before? >> There is no reason to backup device files on FreeBSD because FreeBSD uses a dynamic devfs. Backup the devfs rules and devfs.conf instead of the device files. > We’re backing up non-FreeBSD systems, as well as some software that creates its own devices inside a mini-chroot it needs to run. you can't create device files under FreeBSD...... well, you can make the nodes I guess but they don't connect to any device.. they only exist to allow them to be exported through NFS as far as I know. > > > > _______________________________________________ > freebsd-fs@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org" > >