From nobody Fri Sep 27 18:34:26 2024 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XFfJL6xcQz5X4nn for ; Fri, 27 Sep 2024 18:34:26 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XFfJL6SbHz4M17 for ; Fri, 27 Sep 2024 18:34:26 +0000 (UTC) (envelope-from jamie@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1727462066; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SetHgW5goPYHO5I8dzHV4W2+Sa0DH3w5RiQ7scVMu4w=; b=a/W2A7Gqk7sjkRbkeYLb1SEa4mUTt9xiKCt3A7eQhhQsuURN62pj+me8jD+MX34pmnIlAQ TPZevCeVRLMudbyXIfUyiGeKmsJLfXfHzQ9hzlwFHHmIGn/ccbfw13HMEocym6hhK6VvN8 1A9YTkl2SMfFsHNAYxxi/4Y8mWZFCQJ2EhXI3KikFCs6vyK2znfhg0BOH+3UCxyXQ0tgpJ jnFW86s4FRXabQ1l31Y8RVn0JBoRUU1p78dtJtx1dKCGhqRkOSjOLM6PTMDzLbEPg4wRbB couopPnM6m+EjWngJF/v+4ni/T6dBDKjUnKBb8UP9sdyEmjhHfWNL6YekgC1HQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1727462066; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SetHgW5goPYHO5I8dzHV4W2+Sa0DH3w5RiQ7scVMu4w=; b=fMueVLn23TRgVxcb2ApNRiZLl5CVEMvocAAeMkDAyPpw2cptaByywiWsr/i54UbvjqtiCf 7xAx9ajBGkMDAVBFqpGiEpQyxtxiVeng04sCOwP+bL7YCHK/gHIB/QQlCjYMN0QnXO6NFD mDuj44kNtarUf9kD5pkVCG3ZEfSqPtNLUktQv9SCJlyOVCitJlfAX9xTC1oKjT9zzswgY0 bi+Hmdor5f6diECDC82irnlmbi4Ok/547dCH9x00esHerQucWroPviOo+6a4tc+0NWP/zp 2y6KkDg9ipDKItXvsXe30GQzw2ESwvQE1ZEdpuCYOudyeuzFsq20lDzVyHjxIQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1727462066; a=rsa-sha256; cv=none; b=xi49T1jqO88VxJiJUdN3CkkEA8GrAi2bxjkEYIf575UjuzI4kIlyGTDt2OqpHcxjpnIHQ8 phPv0yMS5QL1YcPwdICKsePw4JBPtudCh76JauiWF974P+Asfo9ZOtt2/uzrE+u89crM07 4K9K2g2EwTKh6exel5ofKrOCrpDv5KvI32qUUZoDYdXIK1EjZCeuCRNFAfrXP9expCztv+ u7qTXIlQXBSb7euW7qK4j5bp96qtvrVrzOu0LmbdQkU3G+YpdKmYPHWttpqznJ3SVWCEwh vV2kA9aTd1Ixx1xDsyqBWm155QPTt/NEquybgWt9ra/9MaNoJtywxt/0c4+3og== Received: from m2.gritton.org (gritton.org [67.43.236.212]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: jamie) by smtp.freebsd.org (Postfix) with ESMTPSA id 4XFfJL5qnnz19TQ for ; Fri, 27 Sep 2024 18:34:26 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org (localgritton [127.0.0.212]) by m2.gritton.org (Postfix) with ESMTPSA id 2B7CE1D6AA for ; Fri, 27 Sep 2024 11:34:26 -0700 (PDT) List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@FreeBSD.org MIME-Version: 1.0 Date: Fri, 27 Sep 2024 11:34:26 -0700 From: James Gritton To: freebsd-jail@freebsd.org Subject: Re: Devfs error with hierarchical jails In-Reply-To: References: Message-ID: <0ca1a124ff2e09c06ca16d6ea93e8424@freebsd.org> X-Sender: jamie@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 2024-09-27 05:01, Quentin Thébault wrote: > I am trying to make iocage usable in hierarchical jail scenarios. > I think I solved most issues in the code, but devfs is giving me a hard > time. > > I put the following configuration both at the level1 and level2 jail: > - allow_mount=1 > - allow_mount_devfs=1 > - enforce_statfs=1 (tried with 0 too but no change) > - devfs_ruleset=0 > I also set children_max to 10 for the level1 jail. > > All the DEVFSIO_RADD errors I had went away when I added the ruleset > setting, but I am still getting DEVFSIO_SGETNEXT and DEVFSIO_RGETNEXT > related errors when I try to start the jail: > >> root@jaildev:~/iocage # iocage start thick >> * Starting thick >> devfs rule: ioctl DEVFSIO_SGETNEXT: Operation not permitted >> devfs rule: ioctl DEVFSIO_RGETNEXT: Operation not permitted >> + Start FAILED >> mount: .: Operation not permitted >> jail: ioc-thick: /sbin/mount -t devfs -oruleset=1000 . >> /iocage/jails/thick/root/dev: failed > > Any idea what's going on and how to fix this? Did I miss something? > I tried to look for these DEVFSIO constants but even looking at the > source > I don't really find any indication on what's wrong. It's not those particular DEVFSIO constants that are the problem, but devfs rulesets generally. Jailed root isn't allowed to do any of those ioctls, which means a child jail isn't allowed anything other than default ruleset. This is a problem, as the proper behavior would be to restrict child jails to the parent jail's ruleset. As it is, giving allow.mount.devfs permission lets the jail see all the devices it otherwise couldn't. So you found a bug, just not the one you were looking for. - Jamie