From owner-freebsd-jail@FreeBSD.ORG Mon Feb 18 08:54:51 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 43CF1ECD; Mon, 18 Feb 2013 08:54:51 +0000 (UTC) (envelope-from h.schmalzbauer@omnilan.de) Received: from host.omnilan.net (s1.omnilan.net [62.245.232.135]) by mx1.freebsd.org (Postfix) with ESMTP id B429F3D8; Mon, 18 Feb 2013 08:54:49 +0000 (UTC) Received: from titan.inop.wdn.omnilan.net (titan.inop.wdn.omnilan.net [172.21.3.1]) (authenticated bits=0) by host.omnilan.net (8.13.8/8.13.8) with ESMTP id r1I8xwrO001849 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 18 Feb 2013 09:59:58 +0100 (CET) (envelope-from h.schmalzbauer@omnilan.de) Message-ID: <5121EC52.5040502@omnilan.de> Date: Mon, 18 Feb 2013 09:54:42 +0100 From: Harald Schmalzbauer Organization: OmniLAN User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; de-DE; rv:1.9.2.8) Gecko/20100906 Lightning/1.0b2 Thunderbird/3.1.2 MIME-Version: 1.0 To: Jamie Gritton Subject: Re: new jail(8) ignoring devfs_ruleset? References: <511E61F5.1000805@omnilan.de> <511EC759.4060704@FreeBSD.org> In-Reply-To: <511EC759.4060704@FreeBSD.org> X-Enigmail-Version: 1.1.2 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig3E354507CAA76A8516AA8C46" Cc: freebsd-jail@freebsd.org, freebsd-stable@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2013 08:54:51 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig3E354507CAA76A8516AA8C46 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): > On 02/15/13 09:27, Harald Schmalzbauer wrote: >> Hello, >> >> like already posted, on 9.1-R, I highly appreciate the new jail(8) and= >> jail.conf capabilities. Thanks for that extension! >> >> Accidentally I saw that "devfs_ruleset" seems to be ignored. >> If I list /dev/ I see all the hosts disk devices etc. >> I set "devfs_ruleset =3D 4;" and "enforce_statfs =3D 1;" in jail.conf.= >> Inside the jail, >> sysctl security.jail.devfs_ruleset returnes "1". >> But like mentioned, I can access all devices... >> >> Thanks for any help, >> >> -Harry > > devfs_ruleset is only used along with mount.devfs - do you also have > that set in jail.conf? Thanks for your response. Yes, I have mount.devfs; set. Otherwise I wouldn't have any device inside my jail. Verified - and like intended, right? Another notable discrepancy: The man page tells that devfs_rulset is "4" by default. But when I don't set devfs_rulset in jail.conf at all, inside the jail, 'sysctl security.jail.devfs_ruleset': 0 When set, like mentioned above, it returns the corresponding value, but it doesn't have any effect. How gets devfs_rulset handled? Does jail(8) do the whole job? I'd like to help finding the source, but have missed the whole new jail evolution.= =2E. Inside my jails, I don't have a fstab, outside I have them defined and enabled with "mount" - and noticed the non-reverted umounting. Thanks, -Harry --------------enig3E354507CAA76A8516AA8C46 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAlEh7FIACgkQLDqVQ9VXb8izDgCgyvgQON3OQ+hYduzQsvfB6RaD 6zYAoKefEHk6CGFzX0MueNShm4cpTCCP =KYYT -----END PGP SIGNATURE----- --------------enig3E354507CAA76A8516AA8C46-- From owner-freebsd-jail@FreeBSD.ORG Mon Feb 18 11:06:47 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 2EC07211 for ; Mon, 18 Feb 2013 11:06:47 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 20839E28 for ; Mon, 18 Feb 2013 11:06:47 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r1IB6l1G061585 for ; Mon, 18 Feb 2013 11:06:47 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r1IB6kPq061583 for freebsd-jail@FreeBSD.org; Mon, 18 Feb 2013 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 18 Feb 2013 11:06:46 GMT Message-Id: <201302181106.r1IB6kPq061583@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2013 11:06:47 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/176092 jail [jail] [panic] Starting a jail on my releng/9.1 kernel o kern/174902 jail [jail] jail should provide validator for jail names o kern/174436 jail [jail] Jails with numbers as names don't work o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin o conf/149050 jail [jail] rcorder ``nojail'' too coarse for Jail+VNET s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 17 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Feb 18 16:26:51 2013 Return-Path: Delivered-To: jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 20180CE1; Mon, 18 Feb 2013 16:26:51 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id E746483C; Mon, 18 Feb 2013 16:26:50 +0000 (UTC) Received: from glorfindel.gritton.org (c-174-52-130-157.hsd1.ut.comcast.net [174.52.130.157]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r1IGQhn2087146; Mon, 18 Feb 2013 09:26:44 -0700 (MST) (envelope-from jamie@FreeBSD.org) Message-ID: <51225642.2010501@FreeBSD.org> Date: Mon, 18 Feb 2013 09:26:42 -0700 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.24) Gecko/20120129 Thunderbird/3.1.16 MIME-Version: 1.0 To: Harald Schmalzbauer Subject: Re: new jail(8) ignoring devfs_ruleset? References: <511E61F5.1000805@omnilan.de> <511EC759.4060704@FreeBSD.org> <5121EC52.5040502@omnilan.de> In-Reply-To: <5121EC52.5040502@omnilan.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail , freebsd-stable X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2013 16:26:51 -0000 On 02/18/13 01:54, Harald Schmalzbauer wrote: > schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): >> On 02/15/13 09:27, Harald Schmalzbauer wrote: >>> Hello, >>> >>> like already posted, on 9.1-R, I highly appreciate the new jail(8) and >>> jail.conf capabilities. Thanks for that extension! >>> >>> Accidentally I saw that "devfs_ruleset" seems to be ignored. >>> If I list /dev/ I see all the hosts disk devices etc. >>> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf. >>> Inside the jail, >>> sysctl security.jail.devfs_ruleset returnes "1". >>> But like mentioned, I can access all devices... >>> >>> Thanks for any help, >>> >>> -Harry >> >> devfs_ruleset is only used along with mount.devfs - do you also have >> that set in jail.conf? > > Thanks for your response. > > Yes, I have mount.devfs; set. > Otherwise I wouldn't have any device inside my jail. Verified - and like > intended, right? > Another notable discrepancy: The man page tells that devfs_rulset is "4" > by default. > But when I don't set devfs_rulset in jail.conf at all, inside the jail, > 'sysctl security.jail.devfs_ruleset': 0 > When set, like mentioned above, it returns the corresponding value, but > it doesn't have any effect. > How gets devfs_rulset handled? Does jail(8) do the whole job? I'd like > to help finding the source, but have missed the whole new jail evolution... > Inside my jails, I don't have a fstab, outside I have them defined and > enabled with "mount" - and noticed the non-reverted umounting. I found the problem - I noticed you mentioned 9.1-R, and took a look at devfs(5). On CURRENT, there's a mount option "ruleset", that isn't there on 9. So I'll have to get around it by running devfs(8) after the mount. I'll work on a patch for that. - Jamie From owner-freebsd-jail@FreeBSD.ORG Mon Feb 18 16:30:01 2013 Return-Path: Delivered-To: jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 1E68FE27; Mon, 18 Feb 2013 16:30:01 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: from mail-we0-x230.google.com (we-in-x0230.1e100.net [IPv6:2a00:1450:400c:c03::230]) by mx1.freebsd.org (Postfix) with ESMTP id 67032871; Mon, 18 Feb 2013 16:30:00 +0000 (UTC) Received: by mail-we0-f176.google.com with SMTP id s43so4980245wey.35 for ; Mon, 18 Feb 2013 08:29:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:date:from:to:cc:subject:message-id:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; bh=jSe9mEm+igplzlTthhn+iGCAE+K3hlHvG5jn32UfT9U=; b=aw8e7MJe3MmDCkBGu6V1TxYBR3HKgygsHMw62ZSmwJkuTpiDJ04/G1yTUjV8uCYwuk 0DAgaQ90b23+VqcWXK0CK4I7TCaHcrgx1aZV0A2tptxsCdXT22j3Z3z7i93k/SX+Zhj5 CLxGcfoG58iK1UNcgADJrevLviPk4CpBCNW+5EnqBvvGlWbUsw9GBzbjaENtccmKjM18 Xy2dG5gID0xNlCKY+GnGLW7ZXDOU3w+Fu0ICYdTx0im7KtScbRHQxYjsOWmdECMu0DrG KIE2MM2l9hMTk7VVN93CJ76X/incluM/emzlvxi59EdDT3XNLuOwAEFvdZ9P0AeeB3oH bfyQ== X-Received: by 10.180.79.6 with SMTP id f6mr21347839wix.26.1361204998446; Mon, 18 Feb 2013 08:29:58 -0800 (PST) Received: from dft-labs.eu (n1x0n-1-pt.tunnel.tserv5.lon1.ipv6.he.net. [2001:470:1f08:1f7::2]) by mx.google.com with ESMTPS id fg6sm22655129wib.10.2013.02.18.08.29.56 (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 18 Feb 2013 08:29:57 -0800 (PST) Date: Mon, 18 Feb 2013 17:29:56 +0100 From: Mateusz Guzik To: Jamie Gritton Subject: Re: new jail(8) ignoring devfs_ruleset? Message-ID: <20130218162956.GA1834@dft-labs.eu> References: <511E61F5.1000805@omnilan.de> <511EC759.4060704@FreeBSD.org> <5121EC52.5040502@omnilan.de> <51225642.2010501@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <51225642.2010501@FreeBSD.org> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: Harald Schmalzbauer , freebsd-stable , freebsd-jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2013 16:30:01 -0000 On Mon, Feb 18, 2013 at 09:26:42AM -0700, Jamie Gritton wrote: > On 02/18/13 01:54, Harald Schmalzbauer wrote: > > schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): > >>On 02/15/13 09:27, Harald Schmalzbauer wrote: > >>> Hello, > >>> > >>>like already posted, on 9.1-R, I highly appreciate the new jail(8) and > >>>jail.conf capabilities. Thanks for that extension! > >>> > >>>Accidentally I saw that "devfs_ruleset" seems to be ignored. > >>>If I list /dev/ I see all the hosts disk devices etc. > >>>I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf. > >>> Inside the jail, > >>>sysctl security.jail.devfs_ruleset returnes "1". > >>>But like mentioned, I can access all devices... > >>> > >>>Thanks for any help, > >>> > >>>-Harry > >> > >>devfs_ruleset is only used along with mount.devfs - do you also have > >>that set in jail.conf? > > > >Thanks for your response. > > > >Yes, I have mount.devfs; set. > >Otherwise I wouldn't have any device inside my jail. Verified - and like > >intended, right? > >Another notable discrepancy: The man page tells that devfs_rulset is "4" > >by default. > >But when I don't set devfs_rulset in jail.conf at all, inside the jail, > >'sysctl security.jail.devfs_ruleset': 0 > >When set, like mentioned above, it returns the corresponding value, but > >it doesn't have any effect. > >How gets devfs_rulset handled? Does jail(8) do the whole job? I'd like > >to help finding the source, but have missed the whole new jail evolution... > >Inside my jails, I don't have a fstab, outside I have them defined and > >enabled with "mount" - and noticed the non-reverted umounting. > > I found the problem - I noticed you mentioned 9.1-R, and took a look at > devfs(5). On CURRENT, there's a mount option "ruleset", that isn't there > on 9. > > So I'll have to get around it by running devfs(8) after the mount. I'll > work on a patch for that. > Why not MFC support for that mount option instead? -- Mateusz Guzik From owner-freebsd-jail@FreeBSD.ORG Mon Feb 18 17:06:57 2013 Return-Path: Delivered-To: jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id ACD6242C; Mon, 18 Feb 2013 17:06:57 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 66DAF9D8; Mon, 18 Feb 2013 17:06:57 +0000 (UTC) Received: from glorfindel.gritton.org (c-174-52-130-157.hsd1.ut.comcast.net [174.52.130.157]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r1IH6uKm087773; Mon, 18 Feb 2013 10:06:56 -0700 (MST) (envelope-from jamie@FreeBSD.org) Message-ID: <51225FAF.9010507@FreeBSD.org> Date: Mon, 18 Feb 2013 10:06:55 -0700 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.24) Gecko/20120129 Thunderbird/3.1.16 MIME-Version: 1.0 To: Mateusz Guzik Subject: Re: new jail(8) ignoring devfs_ruleset? References: <511E61F5.1000805@omnilan.de> <511EC759.4060704@FreeBSD.org> <5121EC52.5040502@omnilan.de> <51225642.2010501@FreeBSD.org> <20130218162956.GA1834@dft-labs.eu> In-Reply-To: <20130218162956.GA1834@dft-labs.eu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: Harald Schmalzbauer , freebsd-stable , freebsd-jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2013 17:06:57 -0000 On 02/18/13 09:29, Mateusz Guzik wrote: > On Mon, Feb 18, 2013 at 09:26:42AM -0700, Jamie Gritton wrote: >> On 02/18/13 01:54, Harald Schmalzbauer wrote: >>> schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): >>>> On 02/15/13 09:27, Harald Schmalzbauer wrote: >>>>> Hello, >>>>> >>>>> like already posted, on 9.1-R, I highly appreciate the new jail(8) and >>>>> jail.conf capabilities. Thanks for that extension! >>>>> >>>>> Accidentally I saw that "devfs_ruleset" seems to be ignored. >>>>> If I list /dev/ I see all the hosts disk devices etc. >>>>> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf. >>>>> Inside the jail, >>>>> sysctl security.jail.devfs_ruleset returnes "1". >>>>> But like mentioned, I can access all devices... >>>>> >>>>> Thanks for any help, >>>>> >>>>> -Harry >>>> >>>> devfs_ruleset is only used along with mount.devfs - do you also have >>>> that set in jail.conf? >>> >>> Thanks for your response. >>> >>> Yes, I have mount.devfs; set. >>> Otherwise I wouldn't have any device inside my jail. Verified - and like >>> intended, right? >>> Another notable discrepancy: The man page tells that devfs_rulset is "4" >>> by default. >>> But when I don't set devfs_rulset in jail.conf at all, inside the jail, >>> 'sysctl security.jail.devfs_ruleset': 0 >>> When set, like mentioned above, it returns the corresponding value, but >>> it doesn't have any effect. >>> How gets devfs_rulset handled? Does jail(8) do the whole job? I'd like >>> to help finding the source, but have missed the whole new jail evolution... >>> Inside my jails, I don't have a fstab, outside I have them defined and >>> enabled with "mount" - and noticed the non-reverted umounting. >> >> I found the problem - I noticed you mentioned 9.1-R, and took a look at >> devfs(5). On CURRENT, there's a mount option "ruleset", that isn't there >> on 9. >> >> So I'll have to get around it by running devfs(8) after the mount. I'll >> work on a patch for that. >> > > Why not MFC support for that mount option instead? That may be a better way around it, since either solution will require an MFC. It'd be nice to have a patch to jail(8) anyway, since just dropping in a new jail program is easier than dropping in a new kernel. I'll have to take a look at the devfs code and see if that was a reasonably small change. - Jamie From owner-freebsd-jail@FreeBSD.ORG Tue Feb 19 17:53:33 2013 Return-Path: Delivered-To: jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 11AE687A; Tue, 19 Feb 2013 17:53:33 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id C03DE996; Tue, 19 Feb 2013 17:53:32 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r1JHrPNO011807; Tue, 19 Feb 2013 10:53:26 -0700 (MST) (envelope-from jamie@FreeBSD.org) Message-ID: <5123BC10.1070002@FreeBSD.org> Date: Tue, 19 Feb 2013 10:53:20 -0700 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120126 Thunderbird/9.0 MIME-Version: 1.0 To: Mateusz Guzik Subject: Re: new jail(8) ignoring devfs_ruleset? References: <511E61F5.1000805@omnilan.de> <511EC759.4060704@FreeBSD.org> <5121EC52.5040502@omnilan.de> <51225642.2010501@FreeBSD.org> <20130218162956.GA1834@dft-labs.eu> In-Reply-To: <20130218162956.GA1834@dft-labs.eu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: Harald Schmalzbauer , freebsd-stable , freebsd-jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2013 17:53:33 -0000 On 02/18/13 09:29, Mateusz Guzik wrote: > On Mon, Feb 18, 2013 at 09:26:42AM -0700, Jamie Gritton wrote: >> On 02/18/13 01:54, Harald Schmalzbauer wrote: >>> schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): >>>> On 02/15/13 09:27, Harald Schmalzbauer wrote: >>>>> Hello, >>>>> >>>>> like already posted, on 9.1-R, I highly appreciate the new jail(8) and >>>>> jail.conf capabilities. Thanks for that extension! >>>>> >>>>> Accidentally I saw that "devfs_ruleset" seems to be ignored. >>>>> If I list /dev/ I see all the hosts disk devices etc. >>>>> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf. >>>>> Inside the jail, >>>>> sysctl security.jail.devfs_ruleset returnes "1". >>>>> But like mentioned, I can access all devices... >>>>> >>>>> Thanks for any help, >>>>> >>>>> -Harry >>>> >>>> devfs_ruleset is only used along with mount.devfs - do you also have >>>> that set in jail.conf? >>> >>> Thanks for your response. >>> >>> Yes, I have mount.devfs; set. >>> Otherwise I wouldn't have any device inside my jail. Verified - and like >>> intended, right? >>> Another notable discrepancy: The man page tells that devfs_rulset is "4" >>> by default. >>> But when I don't set devfs_rulset in jail.conf at all, inside the jail, >>> 'sysctl security.jail.devfs_ruleset': 0 >>> When set, like mentioned above, it returns the corresponding value, but >>> it doesn't have any effect. >>> How gets devfs_rulset handled? Does jail(8) do the whole job? I'd like >>> to help finding the source, but have missed the whole new jail evolution... >>> Inside my jails, I don't have a fstab, outside I have them defined and >>> enabled with "mount" - and noticed the non-reverted umounting. >> >> I found the problem - I noticed you mentioned 9.1-R, and took a look at >> devfs(5). On CURRENT, there's a mount option "ruleset", that isn't there >> on 9. >> >> So I'll have to get around it by running devfs(8) after the mount. I'll >> work on a patch for that. >> > > Why not MFC support for that mount option instead? I wasn't quite right about it not being in 9.1. I was looking at my 9.0 desktop, and it's not there. But it was in fact MFCd into 9.1. So I'm back to saying as long as you use the devfs_ruleset parameter, your jailed /dev should be correct. - Jamie From owner-freebsd-jail@FreeBSD.ORG Tue Feb 19 21:24:40 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id D5B0DDC5; Tue, 19 Feb 2013 21:24:40 +0000 (UTC) (envelope-from jlh@FreeBSD.org) Received: from smtp5-g21.free.fr (smtp5-g21.free.fr [IPv6:2a01:e0c:1:1599::14]) by mx1.freebsd.org (Postfix) with ESMTP id 74B4B881; Tue, 19 Feb 2013 21:24:37 +0000 (UTC) Received: from endor.tataz.chchile.org (unknown [82.233.239.98]) by smtp5-g21.free.fr (Postfix) with ESMTP id 2D11FD48015; Tue, 19 Feb 2013 22:24:31 +0100 (CET) Received: from felucia.tataz.chchile.org (felucia.tataz.chchile.org [192.168.1.9]) by endor.tataz.chchile.org (Postfix) with ESMTP id 101F3287; Tue, 19 Feb 2013 22:24:31 +0100 (CET) Received: by felucia.tataz.chchile.org (Postfix, from userid 1000) id E4EBF138AB; Tue, 19 Feb 2013 21:24:30 +0000 (UTC) Date: Tue, 19 Feb 2013 22:24:30 +0100 From: Jeremie Le Hen To: Harald Schmalzbauer Subject: Re: new jail(8) ignoring devfs_ruleset? Message-ID: <20130219212430.GA92116@felucia.tataz.chchile.org> Mail-Followup-To: Harald Schmalzbauer , Jamie Gritton , freebsd-jail@freebsd.org, freebsd-stable@freebsd.org References: <511E61F5.1000805@omnilan.de> <511EC759.4060704@FreeBSD.org> <5121EC52.5040502@omnilan.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5121EC52.5040502@omnilan.de> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-jail@freebsd.org, freebsd-stable@freebsd.org, Jamie Gritton X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2013 21:24:40 -0000 On Mon, Feb 18, 2013 at 09:54:42AM +0100, Harald Schmalzbauer wrote: > schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): > > On 02/15/13 09:27, Harald Schmalzbauer wrote: > >> Hello, > >> > >> like already posted, on 9.1-R, I highly appreciate the new jail(8) and > >> jail.conf capabilities. Thanks for that extension! > >> > >> Accidentally I saw that "devfs_ruleset" seems to be ignored. > >> If I list /dev/ I see all the hosts disk devices etc. > >> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf. > >> Inside the jail, > >> sysctl security.jail.devfs_ruleset returnes "1". > >> But like mentioned, I can access all devices... > >> > >> Thanks for any help, > >> > >> -Harry > > > > devfs_ruleset is only used along with mount.devfs - do you also have > > that set in jail.conf? > > Thanks for your response. > > Yes, I have mount.devfs; set. > Otherwise I wouldn't have any device inside my jail. Verified - and like > intended, right? > Another notable discrepancy: The man page tells that devfs_rulset is "4" > by default. > But when I don't set devfs_rulset in jail.conf at all, inside the jail, > 'sysctl security.jail.devfs_ruleset': 0 > When set, like mentioned above, it returns the corresponding value, but > it doesn't have any effect. > How gets devfs_rulset handled? Does jail(8) do the whole job? I'd like > to help finding the source, but have missed the whole new jail evolution... > Inside my jails, I don't have a fstab, outside I have them defined and > enabled with "mount" - and noticed the non-reverted umounting. Look at what's in /dev from you jail. There should a few pseudo devices (see below), but no real devices: $ ls /dev crypto log ptmx random stdin urandom zfs fd null pts stderr stdout zero -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.