From owner-freebsd-current@freebsd.org Sun Dec 17 21:48:41 2017 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AF866E970A0 for ; Sun, 17 Dec 2017 21:48:41 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6DC777FD5C for ; Sun, 17 Dec 2017 21:48:41 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by mail-io0-x22d.google.com with SMTP id o2so7815827ioe.8 for ; Sun, 17 Dec 2017 13:48:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=shSooigwox7cUi1KVn0ED/zs7Uv9Y4jKd9YOTGxeD4s=; b=G/98DvHQnQKlZ+JMuKBhUghBy4fvzEtq3hqEYw5DaFfYoJbVu/EGPM/HzEX10ctRTK Mf7mUmBOmkypZI8z4hUev7CIXMRbOyXQWo7h3OCEKLCPMGnTzzF2QrtCadR4OVAxm+iB dfSvA/RRdfWorUO+3LeNfDzhXfylaC9twe6T5INoR9Y5Iz63ctOcQLbPrCxY396TJH2L w1Q4yfrjWU0ze/PAPD89Jsu6uXSmdWXXPO043PQx+IHIVXvwEOKJADxlbm8X5ZVLrU0F px8bPgrtmWaH5OOuDAFqh4tcspEQ8gNyRnhXQtHM9NER2GO5s4ZsPbmxWfqR8gbwWMvl wt7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=shSooigwox7cUi1KVn0ED/zs7Uv9Y4jKd9YOTGxeD4s=; b=BvQFbx2tKoW/YS7OPHD9H946vt7tyoFZWI2VumU0NpMPRvsbJmZX0qqGwqIZWO/67P iRgjxNYcR+Rla64KHa7n43Lj5Se4cIBs6CApkJorauk542SmjvsNYqKM38Z0JcnIutYY 2xmxr7Arv+Kf8VarRL/dRaLg7+ejjFHlSqCo1xl/LwU1+4JPLVEOGIfBdN8GDjKprYBH jSfQFRBE9z8YCA/mpnjZeuL1seOPphuAwCErzu/aq47TPnLl6kPYVwjBZNwQrxBaLGTc 5Z6xpxpcza1a81dRb96m4f2JbQVHsdlFmlCXQw8t7liD72Ciqgz1HWuSpiZ9awX4a+is tSEQ== X-Gm-Message-State: AKGB3mIoCFK4g06UvIyqIh1wdGY0rmU+SofosvcD9KlzXFqEq2mJyN4j RFkKstZmpZQE5eFOWWFVLay+jVm8kl7DV+TPCyjAqQ== X-Google-Smtp-Source: ACJfBouNP0ilMvBu2ofFwUBLUsekBI4YyRDc1BUUgMUVQrMOC0zrxMZVyyhlZrjyFCyplhhyI5bCeLAJe7ECeu5d6Vc= X-Received: by 10.107.139.146 with SMTP id n140mr14339399iod.136.1513547320639; Sun, 17 Dec 2017 13:48:40 -0800 (PST) MIME-Version: 1.0 Sender: wlosh@bsdimp.com Received: by 10.79.108.204 with HTTP; Sun, 17 Dec 2017 13:48:39 -0800 (PST) X-Originating-IP: [2603:300b:6:5100:1052:acc7:f9de:2b6d] In-Reply-To: References: From: Warner Losh Date: Sun, 17 Dec 2017 14:48:39 -0700 X-Google-Sender-Auth: 8NoG3ygBh7gyyLpXP2wN9CTTTMg Message-ID: Subject: Re: cannot access pass device from within jail To: Dan Langille Cc: FreeBSD Current Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Dec 2017 21:48:41 -0000 Sorry to top post. The problem did turn out to be securelevel. We found this by doing dtrace -n 'fbt::securelevel_gt:return {print(args[1];)}' Though you could also replace securelevel_gt with passopen to see it was in passopen too... Warner On Sun, Dec 17, 2017 at 2:08 PM, Dan Langille wrote: > > On Dec 17, 2017, at 4:04 PM, Warner Losh wrote: > > > > What's the permissions of /dev/xpt0 in the jail? If it's not there I know > > at least camcontrol won't work. I've not used mtx, so I can't say if it's > > affected too or not. > > I have tried both with and without xpt0. When I tried, it was: > > # ls -l /dev/xpt0 > crw------- 1 root operator 0x4c Dec 16 21:52 /dev/xpt0 > > > > > However, looking at the truss output: > > > > openat(AT_FDCWD,"/dev/pass7",O_RDWR|O_EXCL,00) ERR#1 'Operation not > > permitted' > > suggests something other than the canonical xpt0 issue else is going on. > If > > we look at passopen in cam, I can see two exit paths: > > > > error = securelevel_gt(td->td_ucred, 1); if (error != 0) {... > > return error; } > > securelevel_gt is just "return (cr->cr_prison->pr_securelevel > level ? > > EPERM : 0);" which might be possible. What's the securelevel of the jail? > > Maybe this is going on somehow? > > > On the host: > > $ sysctl kern.securelevel > kern.securelevel: -1 > > > On the jail: > > $ sysctl kern.securelevel > kern.securelevel: -1 > > > > > The second is basically > > if (((flags & FWRITE) == 0) || ((flags & FREAD) == 0)) {... return > > EPERM; } > > which isn't happening because of the O_RDWR in the truss output. > > > > The other possibility is that something above the pass driver is doing > the > > check. I've not looked at that code path yet, buy you can see if it's > > making it to passopen() with dtrace and checking its return value. I > don't > > see anything in how we register the device, though, that would suggest > > filtering it in jails. > > > > Warner > > > > On Sun, Dec 17, 2017 at 12:52 PM, Dan Langille wrote: > > > >> Hello, > >> > >> What suggestions do you have for where I should look next? I'm happy to > >> start installing various builds of FreeBSD in order to track down which > >> commit caused this. > >> > >> I'm trying to access a tape library from within a jail running on a > >> FreeBSD 11.1 host. sa(4) devices are working (e.g. I can rewind nsa0). > >> > >> pass(4) devices (i.e. the tape changer ch0) are not working. This > morning > >> I posted to -scsi@: https://lists.freebsd.org/ > pipermail/freebsd-scsi/2017- > >> December/007608.html > >> > >> The device appears in the jail and has appropriate permissions. This > >> access was granted > >> via /etc/devfs.rules using the same approach I used for FreeBSD 10.3 > >> > >> The permissions in the jail: > >> > >> [root@bacula-sd-02 ~]# ls -l /dev/pass7 > >> crw------- 1 root operator 0x74 Dec 16 21:52 /dev/pass7 > >> > >> The command in the jail: > >> > >> [root@bacula-sd-02 ~]# mtx -f /dev/pass7 status > >> cannot open SCSI device '/dev/pass7' - Operation not permitted > >> > >> Here is the truss output of the command in question: > >> https://gist.github.com/dlangille/b80ee804b8080e1cbf5b5ab67f0bdabe > >> > >> Thank you. > >> > >> -- > >> Dan Langille - BSDCan / PGCon > >> dan@langille.org > >> > >> > >> _______________________________________________ > >> freebsd-current@freebsd.org mailing list > >> https://lists.freebsd.org/mailman/listinfo/freebsd-current > >> To unsubscribe, send any mail to "freebsd-current-unsubscribe@ > freebsd.org" > >> > > _______________________________________________ > > freebsd-current@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-current > > To unsubscribe, send any mail to "freebsd-current-unsubscribe@ > freebsd.org" > >