new jail(8) ignoring devfs_ruleset?
Harald Schmalzbauer
h.schmalzbauer at omnilan.de
Mon Feb 18 08:54:51 UTC 2013
schrieb Jamie Gritton am 16.02.2013 00:40 (localtime):
> On 02/15/13 09:27, Harald Schmalzbauer wrote:
>> Hello,
>>
>> like already posted, on 9.1-R, I highly appreciate the new jail(8) and
>> jail.conf capabilities. Thanks for that extension!
>>
>> Accidentally I saw that "devfs_ruleset" seems to be ignored.
>> If I list /dev/ I see all the hosts disk devices etc.
>> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf.
>> Inside the jail,
>> sysctl security.jail.devfs_ruleset returnes "1".
>> But like mentioned, I can access all devices...
>>
>> Thanks for any help,
>>
>> -Harry
>
> devfs_ruleset is only used along with mount.devfs - do you also have
> that set in jail.conf?
Thanks for your response.
Yes, I have mount.devfs; set.
Otherwise I wouldn't have any device inside my jail. Verified - and like
intended, right?
Another notable discrepancy: The man page tells that devfs_rulset is "4"
by default.
But when I don't set devfs_rulset in jail.conf at all, inside the jail,
'sysctl security.jail.devfs_ruleset': 0
When set, like mentioned above, it returns the corresponding value, but
it doesn't have any effect.
How gets devfs_rulset handled? Does jail(8) do the whole job? I'd like
to help finding the source, but have missed the whole new jail evolution...
Inside my jails, I don't have a fstab, outside I have them defined and
enabled with "mount" - and noticed the non-reverted umounting.
Thanks,
-Harry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20130218/579d3c9a/attachment.sig>
More information about the freebsd-jail
mailing list