Date: Sun, 17 Dec 2017 14:48:39 -0700 From: Warner Losh <imp@bsdimp.com> To: Dan Langille <dan@langille.org> Cc: FreeBSD Current <freebsd-current@freebsd.org> Subject: Re: cannot access pass device from within jail Message-ID: <CANCZdfr_VQE-WyZUfsYyWdyGRuPUh4qgn2Aqr7agGWQEH_Ypdg@mail.gmail.com> In-Reply-To: <C19AEFEA-1105-4891-ABDE-B7222147D396@langille.org> References: <E1314554-C8D0-4E8F-B8DB-E0B4D9DE325F@langille.org> <CANCZdfqWF1ckY58yp6sDGkJHxnwoyQB=nz1mnRKZe_mOM3H-gQ@mail.gmail.com> <C19AEFEA-1105-4891-ABDE-B7222147D396@langille.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry to top post. The problem did turn out to be securelevel. We found this by doing dtrace -n 'fbt::securelevel_gt:return {print(args[1];)}' Though you could also replace securelevel_gt with passopen to see it was in passopen too... Warner On Sun, Dec 17, 2017 at 2:08 PM, Dan Langille <dan@langille.org> wrote: > > On Dec 17, 2017, at 4:04 PM, Warner Losh <imp@bsdimp.com> wrote: > > > > What's the permissions of /dev/xpt0 in the jail? If it's not there I know > > at least camcontrol won't work. I've not used mtx, so I can't say if it's > > affected too or not. > > I have tried both with and without xpt0. When I tried, it was: > > # ls -l /dev/xpt0 > crw------- 1 root operator 0x4c Dec 16 21:52 /dev/xpt0 > > > > > However, looking at the truss output: > > > > openat(AT_FDCWD,"/dev/pass7",O_RDWR|O_EXCL,00) ERR#1 'Operation not > > permitted' > > suggests something other than the canonical xpt0 issue else is going on. > If > > we look at passopen in cam, I can see two exit paths: > > > > error = securelevel_gt(td->td_ucred, 1); if (error != 0) {... > > return error; } > > securelevel_gt is just "return (cr->cr_prison->pr_securelevel > level ? > > EPERM : 0);" which might be possible. What's the securelevel of the jail? > > Maybe this is going on somehow? > > > On the host: > > $ sysctl kern.securelevel > kern.securelevel: -1 > > > On the jail: > > $ sysctl kern.securelevel > kern.securelevel: -1 > > > > > The second is basically > > if (((flags & FWRITE) == 0) || ((flags & FREAD) == 0)) {... return > > EPERM; } > > which isn't happening because of the O_RDWR in the truss output. > > > > The other possibility is that something above the pass driver is doing > the > > check. I've not looked at that code path yet, buy you can see if it's > > making it to passopen() with dtrace and checking its return value. I > don't > > see anything in how we register the device, though, that would suggest > > filtering it in jails. > > > > Warner > > > > On Sun, Dec 17, 2017 at 12:52 PM, Dan Langille <dan@langille.org> wrote: > > > >> Hello, > >> > >> What suggestions do you have for where I should look next? I'm happy to > >> start installing various builds of FreeBSD in order to track down which > >> commit caused this. > >> > >> I'm trying to access a tape library from within a jail running on a > >> FreeBSD 11.1 host. sa(4) devices are working (e.g. I can rewind nsa0). > >> > >> pass(4) devices (i.e. the tape changer ch0) are not working. This > morning > >> I posted to -scsi@: https://lists.freebsd.org/ > pipermail/freebsd-scsi/2017- > >> December/007608.html > >> > >> The device appears in the jail and has appropriate permissions. This > >> access was granted > >> via /etc/devfs.rules using the same approach I used for FreeBSD 10.3 > >> > >> The permissions in the jail: > >> > >> [root@bacula-sd-02 ~]# ls -l /dev/pass7 > >> crw------- 1 root operator 0x74 Dec 16 21:52 /dev/pass7 > >> > >> The command in the jail: > >> > >> [root@bacula-sd-02 ~]# mtx -f /dev/pass7 status > >> cannot open SCSI device '/dev/pass7' - Operation not permitted > >> > >> Here is the truss output of the command in question: > >> https://gist.github.com/dlangille/b80ee804b8080e1cbf5b5ab67f0bdabe > >> > >> Thank you. > >> > >> -- > >> Dan Langille - BSDCan / PGCon > >> dan@langille.org > >> > >> > >> _______________________________________________ > >> freebsd-current@freebsd.org mailing list > >> https://lists.freebsd.org/mailman/listinfo/freebsd-current > >> To unsubscribe, send any mail to "freebsd-current-unsubscribe@ > freebsd.org" > >> > > _______________________________________________ > > freebsd-current@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-current > > To unsubscribe, send any mail to "freebsd-current-unsubscribe@ > freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANCZdfr_VQE-WyZUfsYyWdyGRuPUh4qgn2Aqr7agGWQEH_Ypdg>