On 2024-09-27 05:01, Quentin Thébault wrote:
I am trying to make iocage usable in hierarchical jail scenarios.
I think I solved most issues in the code, but devfs is giving me a hard
time.
I put the following configuration both at the level1 and level2 jail:
- allow_mount=1
- allow_mount_devfs=1
- enforce_statfs=1 (tried with 0 too but no change)
- devfs_ruleset=0
I also set children_max to 10 for the level1 jail.
All the DEVFSIO_RADD errors I had went away when I added the ruleset
setting, but I am still getting DEVFSIO_SGETNEXT and DEVFSIO_RGETNEXT
related errors when I try to start the jail:
root@jaildev:~/iocage # iocage start thick
* Starting thick
devfs rule: ioctl DEVFSIO_SGETNEXT: Operation not permitted
devfs rule: ioctl DEVFSIO_RGETNEXT: Operation not permitted
+ Start FAILED
mount: .: Operation not permitted
jail: ioc-thick: /sbin/mount -t devfs -oruleset=1000 .
/iocage/jails/thick/root/dev: failed
Any idea what's going on and how to fix this? Did I miss something?
I tried to look for these DEVFSIO constants but even looking at the
source
I don't really find any indication on what's wrong.
It's not those particular DEVFSIO constants that are the problem, but
devfs rulesets generally. Jailed root isn't allowed to do any of those
ioctls, which means a child jail isn't allowed anything other than
default ruleset. This is a problem, as the proper behavior would be to
restrict child jails to the parent jail's ruleset. As it is, giving
allow.mount.devfs permission lets the jail see all the devices it
otherwise couldn't.
So you found a bug, just not the one you were looking for.
- Jamie
