Date: Sun, 17 Dec 2017 14:48:39 -0700 From: Warner Losh <imp@bsdimp.com> To: Dan Langille <dan@langille.org> Cc: FreeBSD Current <freebsd-current@freebsd.org> Subject: Re: cannot access pass device from within jail Message-ID: <CANCZdfr_VQE-WyZUfsYyWdyGRuPUh4qgn2Aqr7agGWQEH_Ypdg@mail.gmail.com> In-Reply-To: <C19AEFEA-1105-4891-ABDE-B7222147D396@langille.org> References: <E1314554-C8D0-4E8F-B8DB-E0B4D9DE325F@langille.org> <CANCZdfqWF1ckY58yp6sDGkJHxnwoyQB=nz1mnRKZe_mOM3H-gQ@mail.gmail.com> <C19AEFEA-1105-4891-ABDE-B7222147D396@langille.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry to top post. The problem did turn out to be securelevel. We found
this by doing
dtrace -n 'fbt::securelevel_gt:return {print(args[1];)}'
Though you could also replace securelevel_gt with passopen to see it was in
passopen too...
Warner
On Sun, Dec 17, 2017 at 2:08 PM, Dan Langille <dan@langille.org> wrote:
> > On Dec 17, 2017, at 4:04 PM, Warner Losh <imp@bsdimp.com> wrote:
> >
> > What's the permissions of /dev/xpt0 in the jail? If it's not there I know
> > at least camcontrol won't work. I've not used mtx, so I can't say if it's
> > affected too or not.
>
> I have tried both with and without xpt0. When I tried, it was:
>
> # ls -l /dev/xpt0
> crw------- 1 root operator 0x4c Dec 16 21:52 /dev/xpt0
>
> >
> > However, looking at the truss output:
> >
> > openat(AT_FDCWD,"/dev/pass7",O_RDWR|O_EXCL,00) ERR#1 'Operation not
> > permitted'
> > suggests something other than the canonical xpt0 issue else is going on.
> If
> > we look at passopen in cam, I can see two exit paths:
> >
> > error = securelevel_gt(td->td_ucred, 1); if (error != 0) {...
> > return error; }
> > securelevel_gt is just "return (cr->cr_prison->pr_securelevel > level ?
> > EPERM : 0);" which might be possible. What's the securelevel of the jail?
> > Maybe this is going on somehow?
>
>
> On the host:
>
> $ sysctl kern.securelevel
> kern.securelevel: -1
>
>
> On the jail:
>
> $ sysctl kern.securelevel
> kern.securelevel: -1
>
> >
> > The second is basically
> > if (((flags & FWRITE) == 0) || ((flags & FREAD) == 0)) {... return
> > EPERM; }
> > which isn't happening because of the O_RDWR in the truss output.
> >
> > The other possibility is that something above the pass driver is doing
> the
> > check. I've not looked at that code path yet, buy you can see if it's
> > making it to passopen() with dtrace and checking its return value. I
> don't
> > see anything in how we register the device, though, that would suggest
> > filtering it in jails.
> >
> > Warner
> >
> > On Sun, Dec 17, 2017 at 12:52 PM, Dan Langille <dan@langille.org> wrote:
> >
> >> Hello,
> >>
> >> What suggestions do you have for where I should look next? I'm happy to
> >> start installing various builds of FreeBSD in order to track down which
> >> commit caused this.
> >>
> >> I'm trying to access a tape library from within a jail running on a
> >> FreeBSD 11.1 host. sa(4) devices are working (e.g. I can rewind nsa0).
> >>
> >> pass(4) devices (i.e. the tape changer ch0) are not working. This
> morning
> >> I posted to -scsi@: https://lists.freebsd.org/
> pipermail/freebsd-scsi/2017-
> >> December/007608.html
> >>
> >> The device appears in the jail and has appropriate permissions. This
> >> access was granted
> >> via /etc/devfs.rules using the same approach I used for FreeBSD 10.3
> >>
> >> The permissions in the jail:
> >>
> >> [root@bacula-sd-02 ~]# ls -l /dev/pass7
> >> crw------- 1 root operator 0x74 Dec 16 21:52 /dev/pass7
> >>
> >> The command in the jail:
> >>
> >> [root@bacula-sd-02 ~]# mtx -f /dev/pass7 status
> >> cannot open SCSI device '/dev/pass7' - Operation not permitted
> >>
> >> Here is the truss output of the command in question:
> >> https://gist.github.com/dlangille/b80ee804b8080e1cbf5b5ab67f0bdabe
> >>
> >> Thank you.
> >>
> >> --
> >> Dan Langille - BSDCan / PGCon
> >> dan@langille.org
> >>
> >>
> >> _______________________________________________
> >> freebsd-current@freebsd.org mailing list
> >> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> >> To unsubscribe, send any mail to "freebsd-current-unsubscribe@
> freebsd.org"
> >>
> > _______________________________________________
> > freebsd-current@freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-current
> > To unsubscribe, send any mail to "freebsd-current-unsubscribe@
> freebsd.org"
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANCZdfr_VQE-WyZUfsYyWdyGRuPUh4qgn2Aqr7agGWQEH_Ypdg>