rc.d/jail not loading default devfs rulesets

[James Gritton]

On 11/16/2013 2:41 PM, Jan Demter wrote:
 > While looking around in the docs, I also noticed that jail(8) has 
contradicting info on the default ruleset for jails:
 >     devfs_ruleset: "A value of zero (default) means no ruleset is 
enforced."
 >     mount.devfs: “[…] or a default of ruleset 4: devfsrules_jail […]”
 > The latter seems to be correct, though it will probably be an empty 
ruleset as described above.

Those parameters control different things.  devfs_ruleset is the ruleset 
that is used if devfs is mounted by a process within the jail (which, as 
noted, requires specific permission).  mount.devfs is only for (the host 
system) mounting devfs before the jail is created; while it takes its 
ruleset from devfs_ruleset, it includes a further default of rule 4.

I used the default of 4 for mount.devfs's behavior to copy what was 
already being done in the shell-script-based jail creation in the old 
rc.d/jail - the goal of much of the "pesudo-parameter" part of jail(8) 
was to do the same as that script had already done.  It would have made 
sense for devfs_ruleset's original behavior to use ruleset four as well, 
but I hadn't considered anything user-level at the time.  So yes, they 
have ended up with contradictory behavior, though each alone acts as 
documented.

- Jamie