From owner-freebsd-current@freebsd.org Sun Dec 17 21:08:38 2017 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0D5CAE96270 for ; Sun, 17 Dec 2017 21:08:38 +0000 (UTC) (envelope-from dan@langille.org) Received: from clavin1.langille.org (clavin.langille.org [162.208.116.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "clavin.langille.org", Issuer "BSD Cabal Headquarters" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D2C8E7EBCF for ; Sun, 17 Dec 2017 21:08:37 +0000 (UTC) (envelope-from dan@langille.org) Received: from (clavin1.int.langille.org (clavin1.int.unixathome.org [10.4.7.7]) (Authenticated sender: hidden) with ESMTPSA id 631E9334C ; Sun, 17 Dec 2017 21:08:35 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Subject: Re: cannot access pass device from within jail From: Dan Langille In-Reply-To: Date: Sun, 17 Dec 2017 16:08:08 -0500 Cc: FreeBSD Current Content-Transfer-Encoding: 7bit Message-Id: References: To: Warner Losh X-Mailer: Apple Mail (2.3445.5.20) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Dec 2017 21:08:38 -0000 > On Dec 17, 2017, at 4:04 PM, Warner Losh wrote: > > What's the permissions of /dev/xpt0 in the jail? If it's not there I know > at least camcontrol won't work. I've not used mtx, so I can't say if it's > affected too or not. I have tried both with and without xpt0. When I tried, it was: # ls -l /dev/xpt0 crw------- 1 root operator 0x4c Dec 16 21:52 /dev/xpt0 > > However, looking at the truss output: > > openat(AT_FDCWD,"/dev/pass7",O_RDWR|O_EXCL,00) ERR#1 'Operation not > permitted' > suggests something other than the canonical xpt0 issue else is going on. If > we look at passopen in cam, I can see two exit paths: > > error = securelevel_gt(td->td_ucred, 1); if (error != 0) {... > return error; } > securelevel_gt is just "return (cr->cr_prison->pr_securelevel > level ? > EPERM : 0);" which might be possible. What's the securelevel of the jail? > Maybe this is going on somehow? On the host: $ sysctl kern.securelevel kern.securelevel: -1 On the jail: $ sysctl kern.securelevel kern.securelevel: -1 > > The second is basically > if (((flags & FWRITE) == 0) || ((flags & FREAD) == 0)) {... return > EPERM; } > which isn't happening because of the O_RDWR in the truss output. > > The other possibility is that something above the pass driver is doing the > check. I've not looked at that code path yet, buy you can see if it's > making it to passopen() with dtrace and checking its return value. I don't > see anything in how we register the device, though, that would suggest > filtering it in jails. > > Warner > > On Sun, Dec 17, 2017 at 12:52 PM, Dan Langille wrote: > >> Hello, >> >> What suggestions do you have for where I should look next? I'm happy to >> start installing various builds of FreeBSD in order to track down which >> commit caused this. >> >> I'm trying to access a tape library from within a jail running on a >> FreeBSD 11.1 host. sa(4) devices are working (e.g. I can rewind nsa0). >> >> pass(4) devices (i.e. the tape changer ch0) are not working. This morning >> I posted to -scsi@: https://lists.freebsd.org/pipermail/freebsd-scsi/2017- >> December/007608.html >> >> The device appears in the jail and has appropriate permissions. This >> access was granted >> via /etc/devfs.rules using the same approach I used for FreeBSD 10.3 >> >> The permissions in the jail: >> >> [root@bacula-sd-02 ~]# ls -l /dev/pass7 >> crw------- 1 root operator 0x74 Dec 16 21:52 /dev/pass7 >> >> The command in the jail: >> >> [root@bacula-sd-02 ~]# mtx -f /dev/pass7 status >> cannot open SCSI device '/dev/pass7' - Operation not permitted >> >> Here is the truss output of the command in question: >> https://gist.github.com/dlangille/b80ee804b8080e1cbf5b5ab67f0bdabe >> >> Thank you. >> >> -- >> Dan Langille - BSDCan / PGCon >> dan@langille.org >> >> >> _______________________________________________ >> freebsd-current@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" >> > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"