Re: new jail(8) ignoring devfs_ruleset?

[Jamie Gritton]

On 02/18/13 09:29, Mateusz Guzik wrote:

On Mon, Feb 18, 2013 at 09:26:42AM -0700, Jamie Gritton wrote:

On 02/18/13 01:54, Harald Schmalzbauer wrote:

  schrieb Jamie Gritton am 16.02.2013 00:40 (localtime):

On 02/15/13 09:27, Harald Schmalzbauer wrote:

   Hello,

like already posted, on 9.1-R, I highly appreciate the new jail(8) and
jail.conf capabilities. Thanks for that extension!

Accidentally I saw that "devfs_ruleset" seems to be ignored.
If I list /dev/ I see all the hosts disk devices etc.
I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf.
Inside the jail,
sysctl security.jail.devfs_ruleset returnes "1".
But like mentioned, I can access all devices...

Thanks for any help,

-Harry


devfs_ruleset is only used along with mount.devfs - do you also have
that set in jail.conf?


Thanks for your response.

Yes, I have mount.devfs; set.
Otherwise I wouldn't have any device inside my jail. Verified - and like
intended, right?
Another notable discrepancy: The man page tells that devfs_rulset is "4"
by default.
But when I don't set devfs_rulset in jail.conf at all, inside the jail,
'sysctl security.jail.devfs_ruleset': 0
When set, like mentioned above, it returns the corresponding value, but
it doesn't have any effect.
How gets devfs_rulset handled? Does jail(8) do the whole job? I'd like
to help finding the source, but have missed the whole new jail evolution...
Inside my jails, I don't have a fstab, outside I have them defined and
enabled with "mount" - and noticed the non-reverted umounting.


I found the problem - I noticed you mentioned 9.1-R, and took a look at
devfs(5). On CURRENT, there's a mount option "ruleset", that isn't there
on 9.

So I'll have to get around it by running devfs(8) after the mount. I'll
work on a patch for that.



Why not MFC support for that mount option instead?


I wasn't quite right about it not being in 9.1. I was looking at my 9.0
desktop, and it's not there. But it was in fact MFCd into 9.1. So I'm
back to saying as long as you use the devfs_ruleset parameter, your
jailed /dev should be correct.

- Jamie
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: new jail(8) ignoring devfs_ruleset?

[Jeremie Le Hen]

On Mon, Feb 18, 2013 at 09:54:42AM +0100, Harald Schmalzbauer wrote:
>  schrieb Jamie Gritton am 16.02.2013 00:40 (localtime):
> > On 02/15/13 09:27, Harald Schmalzbauer wrote:
> >>   Hello,
> >>
> >> like already posted, on 9.1-R, I highly appreciate the new jail(8) and
> >> jail.conf capabilities. Thanks for that extension!
> >>
> >> Accidentally I saw that "devfs_ruleset" seems to be ignored.
> >> If I list /dev/ I see all the hosts disk devices etc.
> >> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf.
> >>Inside the jail,
> >> sysctl security.jail.devfs_ruleset returnes "1".
> >> But like mentioned, I can access all devices...
> >>
> >> Thanks for any help,
> >>
> >> -Harry
> >
> > devfs_ruleset is only used along with mount.devfs - do you also have
> > that set in jail.conf?
> 
> Thanks for your response.
> 
> Yes, I have mount.devfs; set.
> Otherwise I wouldn't have any device inside my jail. Verified - and like
> intended, right?
> Another notable discrepancy: The man page tells that devfs_rulset is "4"
> by default.
> But when I don't set devfs_rulset in jail.conf at all, inside the jail,
> 'sysctl security.jail.devfs_ruleset': 0
> When set, like mentioned above, it returns the corresponding value, but
> it doesn't have any effect.
> How gets devfs_rulset handled? Does jail(8) do the whole job? I'd like
> to help finding the source, but have missed the whole new jail evolution...
> Inside my jails, I don't have a fstab, outside I have them defined and
> enabled with "mount" - and noticed the non-reverted umounting.

Look at what's in /dev from you jail.  There should a few pseudo
devices (see below), but no real devices:

$ ls /dev
crypto  log ptmxrandom  stdin   urandom zfs
fd  nullpts stderr  stdout  zero


-- 
Jeremie Le Hen

Scientists say the world is made up of Protons, Neutrons and Electrons.
They forgot to mention Morons.
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"