Re: Devfs error with hierarchical jails

On 2024-09-27 05:01, Quentin Thébault wrote:
> I am trying to make iocage usable in hierarchical jail scenarios.
> I think I solved most issues in the code, but devfs is giving me a hard 
> time.
> 
> I put the following configuration both at the level1 and level2 jail:
> - allow_mount=1
> - allow_mount_devfs=1
> - enforce_statfs=1 (tried with 0 too but no change)
> - devfs_ruleset=0
> I also set children_max to 10 for the level1 jail.
> 
> All the DEVFSIO_RADD errors I had went away when I added the ruleset
> setting, but I am still getting DEVFSIO_SGETNEXT and DEVFSIO_RGETNEXT
> related errors when I try to start the jail:
> 
>> root@jaildev:~/iocage # iocage start thick
>> * Starting thick
>> devfs rule: ioctl DEVFSIO_SGETNEXT: Operation not permitted
>> devfs rule: ioctl DEVFSIO_RGETNEXT: Operation not permitted
>>   + Start FAILED
>> mount: .: Operation not permitted
>> jail: ioc-thick: /sbin/mount -t devfs -oruleset=1000 . 
>> /iocage/jails/thick/root/dev: failed
> 
> Any idea what's going on and how to fix this? Did I miss something?
> I tried to look for these DEVFSIO constants but even looking at the 
> source
> I don't really find any indication on what's wrong.

It's not those particular DEVFSIO constants that are the problem, but 
devfs rulesets generally.  Jailed root isn't allowed to do any of those 
ioctls, which means a child jail isn't allowed anything other than 
default ruleset.  This is a problem, as the proper behavior would be to 
restrict child jails to the parent jail's ruleset.  As it is, giving 
allow.mount.devfs permission lets the jail see all the devices it 
otherwise couldn't.

So you found a bug, just not the one you were looking for.

- Jamie