new jail(8) ignoring devfs_ruleset?
Miroslav Lachman
000.fbsd at quip.cz
Fri Mar 22 00:06:43 UTC 2013
Jeremie Le Hen wrote:
> On Mon, Feb 18, 2013 at 09:54:42AM +0100, Harald Schmalzbauer wrote:
>> schrieb Jamie Gritton am 16.02.2013 00:40 (localtime):
>>> On 02/15/13 09:27, Harald Schmalzbauer wrote:
>>>> Hello,
>>>>
>>>> like already posted, on 9.1-R, I highly appreciate the new jail(8) and
>>>> jail.conf capabilities. Thanks for that extension!
>>>>
>>>> Accidentally I saw that "devfs_ruleset" seems to be ignored.
>>>> If I list /dev/ I see all the hosts disk devices etc.
>>>> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf.
>>>> Inside the jail,
>>>> sysctl security.jail.devfs_ruleset returnes "1".
>>>> But like mentioned, I can access all devices...
>>>>
>>>> Thanks for any help,
>>>>
>>>> -Harry
>>>
>>> devfs_ruleset is only used along with mount.devfs - do you also have
>>> that set in jail.conf?
>>
>> Thanks for your response.
>>
>> Yes, I have mount.devfs; set.
>> Otherwise I wouldn't have any device inside my jail. Verified - and like
>> intended, right?
>> Another notable discrepancy: The man page tells that devfs_rulset is "4"
>> by default.
>> But when I don't set devfs_rulset in jail.conf at all, inside the jail,
>> 'sysctl security.jail.devfs_ruleset': 0
>> When set, like mentioned above, it returns the corresponding value, but
>> it doesn't have any effect.
>> How gets devfs_rulset handled? Does jail(8) do the whole job? I'd like
>> to help finding the source, but have missed the whole new jail evolution...
>> Inside my jails, I don't have a fstab, outside I have them defined and
>> enabled with "mount" - and noticed the non-reverted umounting.
>
> Look at what's in /dev from you jail. There should a few pseudo
> devices (see below), but no real devices:
>
> $ ls /dev
> crypto log ptmx random stdin urandom zfs
> fd null pts stderr stdout zero
I can confirm mentioned problem on my FreeBSD 9.1-RELEASE amd64 GENERIC
I am now testing new jail.conf possibilities and I am seeing all devices
in /dev in jail.
Even if I set all this in my jail.conf
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;
devfs_ruleset = 4;
allow.set_hostname = false;
path = "/vol0/jail/$name";
exec.consolelog = "/var/log/jail/$name.console";
mount.fstab = "/etc/fstab.$name";
## Jail bali
bali {
host.hostname = "bali.XXXXXXX.YY;
ip4.addr = xx.xx.xx.xx;
devfs_ruleset = 4;
}
# jexec 4 tcsh
root at bali:/ # ls -l /dev/
total 4
crw-r--r-- 1 root wheel 0, 35 Mar 1 19:39 acpi
lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad10 -> ada3
lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad10s1 -> ada3s1
lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1a -> ada3s1a
lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1b -> ada3s1b
lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1d -> ada3s1d
lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1e -> ada3s1e
lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1f -> ada3s1f
lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1g -> ada3s1g
lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad10s2 -> ada3s2
lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2a -> ada3s2a
lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2b -> ada3s2b
lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2d -> ada3s2d
lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2e -> ada3s2e
lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad4 -> ada0
lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad6 -> ada1
lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad8 -> ada2
lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad8s1 -> ada2s1
lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1a -> ada2s1a
lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1b -> ada2s1b
lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1d -> ada2s1d
lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1e -> ada2s1e
lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1f -> ada2s1f
lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1g -> ada2s1g
lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad8s2 -> ada2s2
lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2a -> ada2s2a
lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2b -> ada2s2b
lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2d -> ada2s2d
lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2e -> ada2s2e
crw-r----- 1 root operator 0, 106 Mar 1 19:39 ada0
crw-r----- 1 root operator 0, 108 Mar 1 19:39 ada1
crw-r----- 1 root operator 0, 114 Mar 1 19:39 ada2
crw-r----- 1 root operator 0, 120 Mar 1 19:39 ada2s1
crw-r----- 1 root operator 0, 130 Mar 1 19:39 ada2s1a
crw-r----- 1 root operator 0, 132 Mar 1 19:39 ada2s1b
crw-r----- 1 root operator 0, 134 Mar 1 19:39 ada2s1d
crw-r----- 1 root operator 0, 136 Mar 1 19:39 ada2s1e
crw-r----- 1 root operator 0, 138 Mar 1 19:39 ada2s1f
crw-r----- 1 root operator 0, 140 Mar 1 19:39 ada2s1g
crw-r----- 1 root operator 0, 122 Mar 1 19:39 ada2s2
crw-r----- 1 root operator 0, 142 Mar 1 19:39 ada2s2a
crw-r----- 1 root operator 0, 144 Mar 1 19:39 ada2s2b
crw-r----- 1 root operator 0, 146 Mar 1 19:39 ada2s2d
crw-r----- 1 root operator 0, 148 Mar 1 19:39 ada2s2e
crw-r----- 1 root operator 0, 116 Mar 1 19:39 ada3
crw-r----- 1 root operator 0, 124 Mar 1 19:39 ada3s1
crw-r----- 1 root operator 0, 150 Mar 1 19:39 ada3s1a
crw-r----- 1 root operator 0, 154 Mar 1 19:39 ada3s1b
crw-r----- 1 root operator 0, 156 Mar 1 19:39 ada3s1d
crw-r----- 1 root operator 0, 161 Mar 1 19:39 ada3s1e
crw-r----- 1 root operator 0, 165 Mar 1 19:39 ada3s1f
crw-r----- 1 root operator 0, 167 Mar 1 19:39 ada3s1g
crw-r----- 1 root operator 0, 126 Mar 1 19:39 ada3s2
crw-r----- 1 root operator 0, 170 Mar 1 19:39 ada3s2a
crw-r----- 1 root operator 0, 173 Mar 1 19:39 ada3s2b
crw-r----- 1 root operator 0, 175 Mar 1 19:39 ada3s2d
crw-r----- 1 root operator 0, 177 Mar 1 19:39 ada3s2e
crw------- 1 root kmem 0, 19 Mar 1 19:39 audit
crw------- 1 root wheel 0, 11 Mar 1 19:39 bpf
lrwxr-xr-x 1 root wheel 3 Mar 22 00:46 bpf0 -> bpf
dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 cam
crw-r----- 1 root operator 0, 118 Mar 1 19:39 cd0
crw-r----- 1 root operator 0, 208 Mar 1 19:39 cd1
crw------- 1 root wheel 0, 5 Mar 22 00:43 console
crw------- 1 root wheel 0, 60 Mar 1 19:39 consolectl
crw-rw-rw- 1 root wheel 0, 10 Mar 1 19:39 ctty
crw-rw---- 1 uucp dialer 0, 41 Mar 1 19:39 cuau0
crw-rw---- 1 uucp dialer 0, 42 Mar 1 19:39 cuau0.init
crw-rw---- 1 uucp dialer 0, 43 Mar 1 19:39 cuau0.lock
crw-rw---- 1 uucp dialer 0, 64 Mar 1 19:39 cuau1
crw-rw---- 1 uucp dialer 0, 65 Mar 1 19:39 cuau1.init
crw-rw---- 1 uucp dialer 0, 66 Mar 1 19:39 cuau1.lock
crw-r----- 1 root operator 0, 209 Mar 1 19:39 da0
crw-r----- 1 root operator 0, 210 Mar 1 19:39 da1
crw------- 1 root wheel 0, 20 Mar 1 19:39 dcons
crw------- 1 root wheel 0, 4 Mar 1 19:39 devctl
cr-------- 1 root wheel 0, 100 Mar 1 19:39 devstat
crw------- 1 root wheel 0, 21 Mar 1 19:39 dgdb
dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 fd
crw------- 1 root wheel 0, 15 Mar 1 19:39 fido
crw-r----- 1 root operator 0, 3 Mar 1 19:39 geom.ctl
crw------- 1 root wheel 0, 28 Mar 1 19:39 io
lrwxr-xr-x 1 root wheel 5 Mar 22 00:46 kbd0 -> ukbd0
lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 kbd1 -> kbdmux0
crw------- 1 root wheel 0, 13 Mar 1 19:39 kbdmux0
crw------- 1 root wheel 0, 9 Mar 1 19:39 klog
crw-r----- 1 root kmem 0, 17 Mar 1 19:39 kmem
dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 led
crw------- 1 root wheel 0, 72 Mar 1 19:39 mdctl
crw-r----- 1 root kmem 0, 16 Mar 1 19:39 mem
crw-rw-rw- 1 root wheel 0, 7 Mar 1 19:39 midistat
dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 mirror
crw------- 1 root kmem 0, 18 Mar 1 19:39 nfslock
crw-rw-rw- 1 root wheel 0, 22 Mar 22 00:55 null
crw------- 1 root operator 0, 101 Mar 1 19:39 pass0
crw------- 1 root operator 0, 102 Mar 1 19:39 pass1
crw------- 1 root operator 0, 103 Mar 1 19:39 pass2
crw------- 1 root operator 0, 104 Mar 1 19:39 pass3
crw------- 1 root operator 0, 105 Mar 1 19:39 pass4
crw------- 1 root operator 0, 185 Mar 1 19:39 pass5
crw------- 1 root operator 0, 206 Mar 1 19:39 pass6
crw------- 1 root operator 0, 207 Mar 1 19:39 pass7
crw-r--r-- 1 root wheel 0, 24 Mar 1 19:39 pci
crw------- 1 root wheel 0, 194 Mar 1 19:40 pf
crw-rw-rw- 1 root wheel 0, 25 Mar 1 19:39 ptmx
dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 pts
crw-rw-rw- 1 root wheel 0, 26 Mar 1 20:40 random
cr--r--r-- 1 root wheel 0, 6 Mar 1 19:39 sndstat
lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 stderr -> fd/2
lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 stdin -> fd/0
lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 stdout -> fd/1
crw------- 1 root wheel 0, 8 Mar 1 19:39 sysmouse
crw------- 1 root wheel 0, 38 Mar 1 19:39 ttyu0
crw------- 1 root wheel 0, 39 Mar 1 19:39 ttyu0.init
crw------- 1 root wheel 0, 40 Mar 1 19:39 ttyu0.lock
crw------- 1 root wheel 0, 61 Mar 1 19:39 ttyu1
crw------- 1 root wheel 0, 62 Mar 1 19:39 ttyu1.init
crw------- 1 root wheel 0, 63 Mar 1 19:39 ttyu1.lock
crw------- 1 root wheel 0, 44 Mar 1 19:40 ttyv0
crw------- 1 root wheel 0, 45 Mar 1 19:40 ttyv1
crw------- 1 root wheel 0, 46 Mar 1 19:40 ttyv2
crw------- 1 root wheel 0, 47 Mar 1 19:40 ttyv3
crw------- 1 root wheel 0, 48 Mar 1 19:40 ttyv4
crw------- 1 root wheel 0, 49 Mar 1 19:40 ttyv5
crw------- 1 root wheel 0, 50 Mar 1 19:40 ttyv6
crw------- 1 root wheel 0, 51 Mar 1 19:40 ttyv7
crw------- 1 root wheel 0, 52 Mar 1 19:39 ttyv8
crw------- 1 root wheel 0, 53 Mar 1 19:39 ttyv9
crw------- 1 root wheel 0, 54 Mar 1 19:39 ttyva
crw------- 1 root wheel 0, 55 Mar 1 19:39 ttyvb
crw------- 1 root wheel 0, 56 Mar 1 19:39 ttyvc
crw------- 1 root wheel 0, 57 Mar 1 19:39 ttyvd
crw------- 1 root wheel 0, 58 Mar 1 19:39 ttyve
crw------- 1 root wheel 0, 59 Mar 1 19:39 ttyvf
dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 ufs
dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 ufsid
lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen0.1 -> usb/0.1.0
lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen1.1 -> usb/1.1.0
lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen1.2 -> usb/1.2.0
lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen2.1 -> usb/2.1.0
lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen3.1 -> usb/3.1.0
lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen3.2 -> usb/3.2.0
lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen4.1 -> usb/4.1.0
lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen5.1 -> usb/5.1.0
lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen6.1 -> usb/6.1.0
lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen7.1 -> usb/7.1.0
lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen7.2 -> usb/7.2.0
crw------- 1 root wheel 0, 163 Mar 1 19:39 ukbd0
crw-r--r-- 1 root operator 0, 169 Mar 1 19:39 ums0
crw-r--r-- 1 root operator 0, 172 Mar 1 19:39 ums1
lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 urandom -> random
dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 usb
crw-r--r-- 1 root operator 0, 70 Mar 1 19:39 usbctl
crw------- 1 root wheel 0, 69 Mar 1 19:39 vboxdrv
crw------- 1 root wheel 0, 196 Mar 1 19:40 vboxnetctl
crw------- 1 root operator 0, 71 Mar 1 19:39 xpt0
crw-rw-rw- 1 root wheel 0, 23 Mar 1 19:39 zero
Is it a problem in my understanding of manpage / configuration, or is it
a bug in jail command on 9.1-RELEASE?
Miroslav Lachman
More information about the freebsd-jail
mailing list