On 11/16/2013 2:41 PM, Jan Demter wrote:
> While looking around in the docs, I also noticed that jail(8) has
contradicting info on the default ruleset for jails:
> devfs_ruleset: "A value of zero (default) means no ruleset is
enforced."
> mount.devfs: “[…] or a default of ruleset 4: devfsrules_jail […]”
> The latter seems to be correct, though it will probably be an empty
ruleset as described above.
Those parameters control different things. devfs_ruleset is the ruleset
that is used if devfs is mounted by a process within the jail (which, as
noted, requires specific permission). mount.devfs is only for (the host
system) mounting devfs before the jail is created; while it takes its
ruleset from devfs_ruleset, it includes a further default of rule 4.
I used the default of 4 for mount.devfs's behavior to copy what was
already being done in the shell-script-based jail creation in the old
rc.d/jail - the goal of much of the "pesudo-parameter" part of jail(8)
was to do the same as that script had already done. It would have made
sense for devfs_ruleset's original behavior to use ruleset four as well,
but I hadn't considered anything user-level at the time. So yes, they
have ended up with contradictory behavior, though each alone acts as
documented.
- Jamie
_______________________________________________
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
