From owner-freebsd-jail@FreeBSD.ORG Tue Feb 19 21:24:40 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id D5B0DDC5; Tue, 19 Feb 2013 21:24:40 +0000 (UTC) (envelope-from jlh@FreeBSD.org) Received: from smtp5-g21.free.fr (smtp5-g21.free.fr [IPv6:2a01:e0c:1:1599::14]) by mx1.freebsd.org (Postfix) with ESMTP id 74B4B881; Tue, 19 Feb 2013 21:24:37 +0000 (UTC) Received: from endor.tataz.chchile.org (unknown [82.233.239.98]) by smtp5-g21.free.fr (Postfix) with ESMTP id 2D11FD48015; Tue, 19 Feb 2013 22:24:31 +0100 (CET) Received: from felucia.tataz.chchile.org (felucia.tataz.chchile.org [192.168.1.9]) by endor.tataz.chchile.org (Postfix) with ESMTP id 101F3287; Tue, 19 Feb 2013 22:24:31 +0100 (CET) Received: by felucia.tataz.chchile.org (Postfix, from userid 1000) id E4EBF138AB; Tue, 19 Feb 2013 21:24:30 +0000 (UTC) Date: Tue, 19 Feb 2013 22:24:30 +0100 From: Jeremie Le Hen To: Harald Schmalzbauer Subject: Re: new jail(8) ignoring devfs_ruleset? Message-ID: <20130219212430.GA92116@felucia.tataz.chchile.org> Mail-Followup-To: Harald Schmalzbauer , Jamie Gritton , freebsd-jail@freebsd.org, freebsd-stable@freebsd.org References: <511E61F5.1000805@omnilan.de> <511EC759.4060704@FreeBSD.org> <5121EC52.5040502@omnilan.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5121EC52.5040502@omnilan.de> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-jail@freebsd.org, freebsd-stable@freebsd.org, Jamie Gritton X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2013 21:24:40 -0000 On Mon, Feb 18, 2013 at 09:54:42AM +0100, Harald Schmalzbauer wrote: > schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): > > On 02/15/13 09:27, Harald Schmalzbauer wrote: > >> Hello, > >> > >> like already posted, on 9.1-R, I highly appreciate the new jail(8) and > >> jail.conf capabilities. Thanks for that extension! > >> > >> Accidentally I saw that "devfs_ruleset" seems to be ignored. > >> If I list /dev/ I see all the hosts disk devices etc. > >> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf. > >> Inside the jail, > >> sysctl security.jail.devfs_ruleset returnes "1". > >> But like mentioned, I can access all devices... > >> > >> Thanks for any help, > >> > >> -Harry > > > > devfs_ruleset is only used along with mount.devfs - do you also have > > that set in jail.conf? > > Thanks for your response. > > Yes, I have mount.devfs; set. > Otherwise I wouldn't have any device inside my jail. Verified - and like > intended, right? > Another notable discrepancy: The man page tells that devfs_rulset is "4" > by default. > But when I don't set devfs_rulset in jail.conf at all, inside the jail, > 'sysctl security.jail.devfs_ruleset': 0 > When set, like mentioned above, it returns the corresponding value, but > it doesn't have any effect. > How gets devfs_rulset handled? Does jail(8) do the whole job? I'd like > to help finding the source, but have missed the whole new jail evolution... > Inside my jails, I don't have a fstab, outside I have them defined and > enabled with "mount" - and noticed the non-reverted umounting. Look at what's in /dev from you jail. There should a few pseudo devices (see below), but no real devices: $ ls /dev crypto log ptmx random stdin urandom zfs fd null pts stderr stdout zero -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.