From owner-freebsd-current@freebsd.org Sun Dec 17 21:04:20 2017 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B1AECE96016 for ; Sun, 17 Dec 2017 21:04:20 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 76B927E817 for ; Sun, 17 Dec 2017 21:04:20 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by mail-it0-x22b.google.com with SMTP id f190so25422420ita.5 for ; Sun, 17 Dec 2017 13:04:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=zO4ukwg/FvdRXuotFYTFt9L+iuaL0n5rwOCom5zN7P8=; b=jOC6jLvnHtrW+rbFGRyvzkjus1LNtVsBdTumqQMyJzDD7/GSPhrr7K+RY67OuVZ9UP Vqhr7gVr8n9ORXEfp7l5re2bqBVIDr3wDUjguvM+QIxTyQVTiOmol1rEYhQ+yUsfzNMs r0zPN3M566qQgL/k0mJAuSENn2PjLonf5OJsU+NXUXz88AhvDNoiUGUSJozb2QfPCQV3 BmA5z4s14YhlXQm7D7RyF7/upRTig7hgObAQlE+/w9diOHtQwRQ61kilic8jOCE4yhC6 5h0Q4icpR01KK57ZzZRpXV3T5T3qrTEMMP9f6yGoc4yeTziblErQHg7PdpbV/dSAp7x+ zqYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=zO4ukwg/FvdRXuotFYTFt9L+iuaL0n5rwOCom5zN7P8=; b=h+EyzwZKIDkBnRAOUA5W2Mm2sPbiIXA74qm2HOVg29MrZMN/hrcObvRESNL8K3FXTr IHLpmz1pTJKMZHu2l6fLOXvzEiCbI4hBBHwZPQ+hAkUfHru+ZCEHC6nkXGeoiLGfEqso bM+xZOY/ls1tRT8tNoMRRyQSjHW0nus+rUi/29TwxrSm7Dju0DDR+khMzXFtXRPPFEUR hI2rS29mIxDUJgWrGPvK+C22ruJJIX9GKJxrnEBcs/jgaZbEz9PsvQasMvhk2D0iO/EH r7eZKVYzFJHy5Ac59x0q/p6bC+5ctsvvPEaPyEZy3rYO43rR9DJV1HTSrKnJV8aYawpC 0FRg== X-Gm-Message-State: AKGB3mJOSx8tRd0zPhThgFgpDZ3RR7O0+zK5bXce7BBZ424atSdCxJ2g KfpUbvAyer4wPTYI2nHIx0sr7Y61S4xGeZezZB3/DqH/ X-Google-Smtp-Source: ACJfBos5DIWaALDlxOuqYs+Qq/m+Vo7S8/trlHyx/iVxEjNGqoK4hShixFf54JAGE2PEvCg7uA2GzDqr60FSbCaDs28= X-Received: by 10.36.133.135 with SMTP id r129mr18367626itd.69.1513544659708; Sun, 17 Dec 2017 13:04:19 -0800 (PST) MIME-Version: 1.0 Sender: wlosh@bsdimp.com Received: by 10.79.108.204 with HTTP; Sun, 17 Dec 2017 13:04:19 -0800 (PST) X-Originating-IP: [2603:300b:6:5100:1052:acc7:f9de:2b6d] In-Reply-To: References: From: Warner Losh Date: Sun, 17 Dec 2017 14:04:19 -0700 X-Google-Sender-Auth: 920tY9wz_Yvu0OJqKaCa4GS-va4 Message-ID: Subject: Re: cannot access pass device from within jail To: Dan Langille Cc: FreeBSD Current Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Dec 2017 21:04:20 -0000 What's the permissions of /dev/xpt0 in the jail? If it's not there I know at least camcontrol won't work. I've not used mtx, so I can't say if it's affected too or not. However, looking at the truss output: openat(AT_FDCWD,"/dev/pass7",O_RDWR|O_EXCL,00) ERR#1 'Operation not permitted' suggests something other than the canonical xpt0 issue else is going on. If we look at passopen in cam, I can see two exit paths: error = securelevel_gt(td->td_ucred, 1); if (error != 0) {... return error; } securelevel_gt is just "return (cr->cr_prison->pr_securelevel > level ? EPERM : 0);" which might be possible. What's the securelevel of the jail? Maybe this is going on somehow? The second is basically if (((flags & FWRITE) == 0) || ((flags & FREAD) == 0)) {... return EPERM; } which isn't happening because of the O_RDWR in the truss output. The other possibility is that something above the pass driver is doing the check. I've not looked at that code path yet, buy you can see if it's making it to passopen() with dtrace and checking its return value. I don't see anything in how we register the device, though, that would suggest filtering it in jails. Warner On Sun, Dec 17, 2017 at 12:52 PM, Dan Langille wrote: > Hello, > > What suggestions do you have for where I should look next? I'm happy to > start installing various builds of FreeBSD in order to track down which > commit caused this. > > I'm trying to access a tape library from within a jail running on a > FreeBSD 11.1 host. sa(4) devices are working (e.g. I can rewind nsa0). > > pass(4) devices (i.e. the tape changer ch0) are not working. This morning > I posted to -scsi@: https://lists.freebsd.org/pipermail/freebsd-scsi/2017- > December/007608.html > > The device appears in the jail and has appropriate permissions. This > access was granted > via /etc/devfs.rules using the same approach I used for FreeBSD 10.3 > > The permissions in the jail: > > [root@bacula-sd-02 ~]# ls -l /dev/pass7 > crw------- 1 root operator 0x74 Dec 16 21:52 /dev/pass7 > > The command in the jail: > > [root@bacula-sd-02 ~]# mtx -f /dev/pass7 status > cannot open SCSI device '/dev/pass7' - Operation not permitted > > Here is the truss output of the command in question: > https://gist.github.com/dlangille/b80ee804b8080e1cbf5b5ab67f0bdabe > > Thank you. > > -- > Dan Langille - BSDCan / PGCon > dan@langille.org > > > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" >