From owner-freebsd-bugs@FreeBSD.ORG Mon Nov 22 00:40:08 2010 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8A794106564A for ; Mon, 22 Nov 2010 00:40:08 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5CC088FC0A for ; Mon, 22 Nov 2010 00:40:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id oAM0e8Rg065232 for ; Mon, 22 Nov 2010 00:40:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id oAM0e8P7065231; Mon, 22 Nov 2010 00:40:08 GMT (envelope-from gnats) Date: Mon, 22 Nov 2010 00:40:08 GMT Message-Id: <201011220040.oAM0e8P7065231@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Andrey Zholos Cc: Subject: Re: conf/152465: [jail] devfs is mounted in jails without rules if devfs.rules can't be parsed X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Andrey Zholos List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Nov 2010 00:40:08 -0000 The following reply was made to PR conf/152465; it has been noted by GNATS. From: Andrey Zholos To: bug-followup@freebsd.org, aaz@althenia.net Cc: Subject: Re: conf/152465: [jail] devfs is mounted in jails without rules if devfs.rules can't be parsed Date: Mon, 22 Nov 2010 00:32:53 +0000 --Boundary-01=_2ob6MTHMShKWTrv Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit The report got truncated (at a line that was a single dot). The rest of How-To-Repeat is: Prevent devfs.rules from being parsed: /etc/devfs.rules now has: [other_rules=99] add path 'ulpt*' group nonexistent [sandbox_rules=100] add hide Watch the jail read /dev/ad0 into /sandbox/ad0_copy: # /etc/rc.d/jail restart Fix: One possible solution is attached: devfs_mount_jail fails if devfs.rules can't be parsed or the ruleset can't be applied, and the jail doesn't start if this happens. This can leave devfs mounted without rules after a jail fails to start, so if devfs is already mounted when the jail is being started the next time, unmount it and try again rather than using it as is. This patch will prevent all jails using devfs from starting if devfs.rules can't be parsed, even those using the standard ruleset (from /etc/defaults/devfs.rules). Another option is to ignore errors in devfs_init_ruleset, while still failing on errors in devfs_set_ruleset and devfs_apply_ruleset. Patch: --- etc/rc.subr.orig 2010-11-03 17:39:53.000000000 +0000 +++ etc/rc.subr 2010-11-21 18:52:42.000000000 +0000 @@ -1422,14 +1422,19 @@ return 1 fi debug "$_me: mount-point is ($devdir), ruleset is ($rs)" + if [ -n "$rs" ]; then + if ! devfs_init_rulesets; then + warn "$_me: Unable to load ruleset $rs"; + return 1 + fi + fi if ! mount -t devfs dev "$devdir"; then warn "$_me: Unable to mount devfs on $devdir" return 1 fi if [ -n "$rs" ]; then - devfs_init_rulesets - devfs_set_ruleset $rs $devdir - devfs -m $devdir rule applyset + devfs_set_ruleset $rs $devdir || return 1 + devfs_apply_ruleset $rs $devdir || return 1 fi return 0 } @@ -1448,7 +1453,6 @@ [ -n "$2" ] && rs=$2 || rs="devfsrules_jail" _me="devfs_mount_jail" - devfs_init_rulesets if ! devfs_domount "$jdev" $rs; then warn "$_me: devfs was not mounted on $jdev" return 1 --- etc/rc.d/jail.orig 2010-11-03 17:39:53.000000000 +0000 +++ etc/rc.d/jail 2010-11-21 18:49:48.000000000 +0000 @@ -590,22 +590,26 @@ jail_mount_fstab fi if checkyesno _devfs; then - # If devfs is already mounted here, skip it. - df -t devfs "${_devdir}" >/dev/null - if [ $? -ne 0 ]; then - if is_symlinked_mountpoint ${_devdir}; then - warn "${_devdir} has symlink as parent - not starting jail ${_jail}" - continue - fi - info "Mounting devfs on ${_devdir}" - devfs_mount_jail "${_devdir}" ${_ruleset} - # Transitional symlink for old binaries - if [ ! -L "${_devdir}/log" ]; then - __pwd="`pwd`" - cd "${_devdir}" - ln -sf ../var/run/log log - cd "$__pwd" - fi + # If devfs is already mounted here, unmount it first. + if df -t devfs "${_devdir}" >/dev/null; then + secure_umount "${_devdir}" + fi + if is_symlinked_mountpoint ${_devdir}; then + warn "${_devdir} has symlink as parent - not starting jail ${_jail}" + continue + fi + info "Mounting devfs on ${_devdir}" + if ! devfs_mount_jail "${_devdir}" ${_ruleset}; then + warn "devfs failed to mount - not starting jail ${_jail}" + continue + fi + + # Transitional symlink for old binaries + if [ ! -L "${_devdir}/log" ]; then + __pwd="`pwd`" + cd "${_devdir}" + ln -sf ../var/run/log log + cd "$__pwd" fi # XXX - It seems symlinks don't work when there --Boundary-01=_2ob6MTHMShKWTrv Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit

The report got truncated (at a line that was a single dot).

The rest of How-To-Repeat is:

Prevent devfs.rules from being parsed:

/etc/devfs.rules now has:

[other_rules=99]

add path 'ulpt*' group nonexistent

[sandbox_rules=100]

add hide

Watch the jail read /dev/ad0 into /sandbox/ad0_copy:

# /etc/rc.d/jail restart

Fix:

One possible solution is attached: devfs_mount_jail fails if devfs.rules

can't be parsed or the ruleset can't be applied, and the jail doesn't

start if this happens.

This can leave devfs mounted without rules after a jail fails to start,

so if devfs is already mounted when the jail is being started the next

time, unmount it and try again rather than using it as is.

This patch will prevent all jails using devfs from starting if

devfs.rules can't be parsed, even those using the standard ruleset (from

/etc/defaults/devfs.rules). Another option is to ignore errors in

devfs_init_ruleset, while still failing on errors in devfs_set_ruleset

and devfs_apply_ruleset.

Patch:

--- etc/rc.subr.orig 2010-11-03 17:39:53.000000000 +0000

+++ etc/rc.subr 2010-11-21 18:52:42.000000000 +0000

@@ -1422,14 +1422,19 @@

return 1

fi

debug "$_me: mount-point is ($devdir), ruleset is ($rs)"

+ if [ -n "$rs" ]; then

+ if ! devfs_init_rulesets; then

+ warn "$_me: Unable to load ruleset $rs";

+ return 1

+ fi

+ fi

if ! mount -t devfs dev "$devdir"; then

warn "$_me: Unable to mount devfs on $devdir"

return 1

fi

if [ -n "$rs" ]; then

- devfs_init_rulesets

- devfs_set_ruleset $rs $devdir

- devfs -m $devdir rule applyset

+ devfs_set_ruleset $rs $devdir || return 1

+ devfs_apply_ruleset $rs $devdir || return 1

fi

return 0

}

@@ -1448,7 +1453,6 @@

[ -n "$2" ] && rs=$2 || rs="devfsrules_jail"

_me="devfs_mount_jail"

- devfs_init_rulesets

if ! devfs_domount "$jdev" $rs; then

warn "$_me: devfs was not mounted on $jdev"

return 1

--- etc/rc.d/jail.orig 2010-11-03 17:39:53.000000000 +0000

+++ etc/rc.d/jail 2010-11-21 18:49:48.000000000 +0000

@@ -590,22 +590,26 @@

jail_mount_fstab

fi

if checkyesno _devfs; then

- # If devfs is already mounted here, skip it.

- df -t devfs "${_devdir}" >/dev/null

- if [ $? -ne 0 ]; then

- if is_symlinked_mountpoint ${_devdir}; then

- warn "${_devdir} has symlink as parent - not starting jail ${_jail}"

- continue

- fi

- info "Mounting devfs on ${_devdir}"

- devfs_mount_jail "${_devdir}" ${_ruleset}

- # Transitional symlink for old binaries

- if [ ! -L "${_devdir}/log" ]; then

- __pwd="`pwd`"

- cd "${_devdir}"

- ln -sf ../var/run/log log

- cd "$__pwd"

- fi

+ # If devfs is already mounted here, unmount it first.

+ if df -t devfs "${_devdir}" >/dev/null; then

+ secure_umount "${_devdir}"

+ fi

+ if is_symlinked_mountpoint ${_devdir}; then

+ warn "${_devdir} has symlink as parent - not starting jail ${_jail}"

+ continue

+ fi

+ info "Mounting devfs on ${_devdir}"

+ if ! devfs_mount_jail "${_devdir}" ${_ruleset}; then

+ warn "devfs failed to mount - not starting jail ${_jail}"

+ continue

+ fi

+

+ # Transitional symlink for old binaries

+ if [ ! -L "${_devdir}/log" ]; then

+ __pwd="`pwd`"

+ cd "${_devdir}"

+ ln -sf ../var/run/log log

+ cd "$__pwd"

fi

# XXX - It seems symlinks don't work when there

--Boundary-01=_2ob6MTHMShKWTrv--