From owner-freebsd-jail@FreeBSD.ORG Fri Mar 22 00:20:44 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id AC5585D9; Fri, 22 Mar 2013 00:20:44 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 6D97733E; Fri, 22 Mar 2013 00:20:44 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id F07AB28422; Fri, 22 Mar 2013 01:20:42 +0100 (CET) Received: from [192.168.1.2] (unknown [89.177.49.222]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 02D1728429; Fri, 22 Mar 2013 01:20:41 +0100 (CET) Message-ID: <514BA3D9.5010901@quip.cz> Date: Fri, 22 Mar 2013 01:20:41 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Jamie Gritton Subject: Re: new jail(8) ignoring devfs_ruleset? References: <511E61F5.1000805@omnilan.de> <511EC759.4060704@FreeBSD.org> <5121EC52.5040502@omnilan.de> <20130219212430.GA92116@felucia.tataz.chchile.org> <514B9EF6.3000607@quip.cz> <514BA14F.3090609@FreeBSD.org> In-Reply-To: <514BA14F.3090609@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Harald Schmalzbauer , freebsd-jail@FreeBSD.org, freebsd-stable@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Mar 2013 00:20:44 -0000 Jamie Gritton wrote: > On 03/21/13 17:59, Miroslav Lachman wrote: >> Jeremie Le Hen wrote: >>> On Mon, Feb 18, 2013 at 09:54:42AM +0100, Harald Schmalzbauer wrote: >>>> schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): >>>>> On 02/15/13 09:27, Harald Schmalzbauer wrote: >>>>>> Hello, >>>>>> >>>>>> like already posted, on 9.1-R, I highly appreciate the new jail(8) >>>>>> and >>>>>> jail.conf capabilities. Thanks for that extension! >>>>>> >>>>>> Accidentally I saw that "devfs_ruleset" seems to be ignored. >>>>>> If I list /dev/ I see all the hosts disk devices etc. >>>>>> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf. >>>>>> Inside the jail, >>>>>> sysctl security.jail.devfs_ruleset returnes "1". >>>>>> But like mentioned, I can access all devices... [...] >> I can confirm mentioned problem on my FreeBSD 9.1-RELEASE amd64 GENERIC >> >> I am now testing new jail.conf possibilities and I am seeing all devices >> in /dev in jail. >> >> Even if I set all this in my jail.conf >> >> exec.start = "/bin/sh /etc/rc"; >> exec.stop = "/bin/sh /etc/rc.shutdown"; >> exec.clean; >> mount.devfs; >> devfs_ruleset = 4; >> allow.set_hostname = false; >> >> path = "/vol0/jail/$name"; >> exec.consolelog = "/var/log/jail/$name.console"; >> mount.fstab = "/etc/fstab.$name"; >> >> ## Jail bali >> bali { >> host.hostname = "bali.XXXXXXX.YY; >> ip4.addr = xx.xx.xx.xx; >> devfs_ruleset = 4; >> } [...] >> Is it a problem in my understanding of manpage / configuration, or is it >> a bug in jail command on 9.1-RELEASE? >> >> Miroslav Lachman > > It's a bug (deficiency) in the jail command. Is there a workaround or is it impossible to use jails with devfs on FreeBSD 9.1? Shouldn't it be mentioned in 9.1 errata? Is it fixed in stable/9? Thank you for your reply and your great work on new jails! Miroslav Lachman