new jail(8) ignoring devfs_ruleset?

Jamie Gritton jamie at FreeBSD.org
Fri Mar 22 00:09:55 UTC 2013 

On 03/21/13 17:59, Miroslav Lachman wrote:
> Jeremie Le Hen wrote:
>> On Mon, Feb 18, 2013 at 09:54:42AM +0100, Harald Schmalzbauer wrote:
>>> schrieb Jamie Gritton am 16.02.2013 00:40 (localtime):
>>>> On 02/15/13 09:27, Harald Schmalzbauer wrote:
>>>>> Hello,
>>>>>
>>>>> like already posted, on 9.1-R, I highly appreciate the new jail(8) and
>>>>> jail.conf capabilities. Thanks for that extension!
>>>>>
>>>>> Accidentally I saw that "devfs_ruleset" seems to be ignored.
>>>>> If I list /dev/ I see all the hosts disk devices etc.
>>>>> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf.
>>>>> Inside the jail,
>>>>> sysctl security.jail.devfs_ruleset returnes "1".
>>>>> But like mentioned, I can access all devices...
>>>>>
>>>>> Thanks for any help,
>>>>>
>>>>> -Harry
>>>>
>>>> devfs_ruleset is only used along with mount.devfs - do you also have
>>>> that set in jail.conf?
>>>
>>> Thanks for your response.
>>>
>>> Yes, I have mount.devfs; set.
>>> Otherwise I wouldn't have any device inside my jail. Verified - and like
>>> intended, right?
>>> Another notable discrepancy: The man page tells that devfs_rulset is "4"
>>> by default.
>>> But when I don't set devfs_rulset in jail.conf at all, inside the jail,
>>> 'sysctl security.jail.devfs_ruleset': 0
>>> When set, like mentioned above, it returns the corresponding value, but
>>> it doesn't have any effect.
>>> How gets devfs_rulset handled? Does jail(8) do the whole job? I'd like
>>> to help finding the source, but have missed the whole new jail
>>> evolution...
>>> Inside my jails, I don't have a fstab, outside I have them defined and
>>> enabled with "mount" - and noticed the non-reverted umounting.
>>
>> Look at what's in /dev from you jail. There should a few pseudo
>> devices (see below), but no real devices:
>>
>> $ ls /dev
>> crypto log ptmx random stdin urandom zfs
>> fd null pts stderr stdout zero
>
> I can confirm mentioned problem on my FreeBSD 9.1-RELEASE amd64 GENERIC
>
> I am now testing new jail.conf possibilities and I am seeing all devices
> in /dev in jail.
>
> Even if I set all this in my jail.conf
>
> exec.start = "/bin/sh /etc/rc";
> exec.stop = "/bin/sh /etc/rc.shutdown";
> exec.clean;
> mount.devfs;
> devfs_ruleset = 4;
> allow.set_hostname = false;
>
> path = "/vol0/jail/$name";
> exec.consolelog = "/var/log/jail/$name.console";
> mount.fstab = "/etc/fstab.$name";
>
> ## Jail bali
> bali {
> host.hostname = "bali.XXXXXXX.YY;
> ip4.addr = xx.xx.xx.xx;
> devfs_ruleset = 4;
> }
>
>
>
>
>
> # jexec 4 tcsh
>
> root at bali:/ # ls -l /dev/
> total 4
> crw-r--r-- 1 root wheel 0, 35 Mar 1 19:39 acpi
> lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad10 -> ada3
> lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad10s1 -> ada3s1
> lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1a -> ada3s1a
> lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1b -> ada3s1b
> lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1d -> ada3s1d
> lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1e -> ada3s1e
> lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1f -> ada3s1f
> lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1g -> ada3s1g
> lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad10s2 -> ada3s2
> lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2a -> ada3s2a
> lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2b -> ada3s2b
> lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2d -> ada3s2d
> lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2e -> ada3s2e
> lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad4 -> ada0
> lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad6 -> ada1
> lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad8 -> ada2
> lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad8s1 -> ada2s1
> lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1a -> ada2s1a
> lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1b -> ada2s1b
> lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1d -> ada2s1d
> lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1e -> ada2s1e
> lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1f -> ada2s1f
> lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1g -> ada2s1g
> lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad8s2 -> ada2s2
> lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2a -> ada2s2a
> lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2b -> ada2s2b
> lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2d -> ada2s2d
> lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2e -> ada2s2e
> crw-r----- 1 root operator 0, 106 Mar 1 19:39 ada0
> crw-r----- 1 root operator 0, 108 Mar 1 19:39 ada1
> crw-r----- 1 root operator 0, 114 Mar 1 19:39 ada2
> crw-r----- 1 root operator 0, 120 Mar 1 19:39 ada2s1
> crw-r----- 1 root operator 0, 130 Mar 1 19:39 ada2s1a
> crw-r----- 1 root operator 0, 132 Mar 1 19:39 ada2s1b
> crw-r----- 1 root operator 0, 134 Mar 1 19:39 ada2s1d
> crw-r----- 1 root operator 0, 136 Mar 1 19:39 ada2s1e
> crw-r----- 1 root operator 0, 138 Mar 1 19:39 ada2s1f
> crw-r----- 1 root operator 0, 140 Mar 1 19:39 ada2s1g
> crw-r----- 1 root operator 0, 122 Mar 1 19:39 ada2s2
> crw-r----- 1 root operator 0, 142 Mar 1 19:39 ada2s2a
> crw-r----- 1 root operator 0, 144 Mar 1 19:39 ada2s2b
> crw-r----- 1 root operator 0, 146 Mar 1 19:39 ada2s2d
> crw-r----- 1 root operator 0, 148 Mar 1 19:39 ada2s2e
> crw-r----- 1 root operator 0, 116 Mar 1 19:39 ada3
> crw-r----- 1 root operator 0, 124 Mar 1 19:39 ada3s1
> crw-r----- 1 root operator 0, 150 Mar 1 19:39 ada3s1a
> crw-r----- 1 root operator 0, 154 Mar 1 19:39 ada3s1b
> crw-r----- 1 root operator 0, 156 Mar 1 19:39 ada3s1d
> crw-r----- 1 root operator 0, 161 Mar 1 19:39 ada3s1e
> crw-r----- 1 root operator 0, 165 Mar 1 19:39 ada3s1f
> crw-r----- 1 root operator 0, 167 Mar 1 19:39 ada3s1g
> crw-r----- 1 root operator 0, 126 Mar 1 19:39 ada3s2
> crw-r----- 1 root operator 0, 170 Mar 1 19:39 ada3s2a
> crw-r----- 1 root operator 0, 173 Mar 1 19:39 ada3s2b
> crw-r----- 1 root operator 0, 175 Mar 1 19:39 ada3s2d
> crw-r----- 1 root operator 0, 177 Mar 1 19:39 ada3s2e
> crw------- 1 root kmem 0, 19 Mar 1 19:39 audit
> crw------- 1 root wheel 0, 11 Mar 1 19:39 bpf
> lrwxr-xr-x 1 root wheel 3 Mar 22 00:46 bpf0 -> bpf
> dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 cam
> crw-r----- 1 root operator 0, 118 Mar 1 19:39 cd0
> crw-r----- 1 root operator 0, 208 Mar 1 19:39 cd1
> crw------- 1 root wheel 0, 5 Mar 22 00:43 console
> crw------- 1 root wheel 0, 60 Mar 1 19:39 consolectl
> crw-rw-rw- 1 root wheel 0, 10 Mar 1 19:39 ctty
> crw-rw---- 1 uucp dialer 0, 41 Mar 1 19:39 cuau0
> crw-rw---- 1 uucp dialer 0, 42 Mar 1 19:39 cuau0.init
> crw-rw---- 1 uucp dialer 0, 43 Mar 1 19:39 cuau0.lock
> crw-rw---- 1 uucp dialer 0, 64 Mar 1 19:39 cuau1
> crw-rw---- 1 uucp dialer 0, 65 Mar 1 19:39 cuau1.init
> crw-rw---- 1 uucp dialer 0, 66 Mar 1 19:39 cuau1.lock
> crw-r----- 1 root operator 0, 209 Mar 1 19:39 da0
> crw-r----- 1 root operator 0, 210 Mar 1 19:39 da1
> crw------- 1 root wheel 0, 20 Mar 1 19:39 dcons
> crw------- 1 root wheel 0, 4 Mar 1 19:39 devctl
> cr-------- 1 root wheel 0, 100 Mar 1 19:39 devstat
> crw------- 1 root wheel 0, 21 Mar 1 19:39 dgdb
> dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 fd
> crw------- 1 root wheel 0, 15 Mar 1 19:39 fido
> crw-r----- 1 root operator 0, 3 Mar 1 19:39 geom.ctl
> crw------- 1 root wheel 0, 28 Mar 1 19:39 io
> lrwxr-xr-x 1 root wheel 5 Mar 22 00:46 kbd0 -> ukbd0
> lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 kbd1 -> kbdmux0
> crw------- 1 root wheel 0, 13 Mar 1 19:39 kbdmux0
> crw------- 1 root wheel 0, 9 Mar 1 19:39 klog
> crw-r----- 1 root kmem 0, 17 Mar 1 19:39 kmem
> dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 led
> crw------- 1 root wheel 0, 72 Mar 1 19:39 mdctl
> crw-r----- 1 root kmem 0, 16 Mar 1 19:39 mem
> crw-rw-rw- 1 root wheel 0, 7 Mar 1 19:39 midistat
> dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 mirror
> crw------- 1 root kmem 0, 18 Mar 1 19:39 nfslock
> crw-rw-rw- 1 root wheel 0, 22 Mar 22 00:55 null
> crw------- 1 root operator 0, 101 Mar 1 19:39 pass0
> crw------- 1 root operator 0, 102 Mar 1 19:39 pass1
> crw------- 1 root operator 0, 103 Mar 1 19:39 pass2
> crw------- 1 root operator 0, 104 Mar 1 19:39 pass3
> crw------- 1 root operator 0, 105 Mar 1 19:39 pass4
> crw------- 1 root operator 0, 185 Mar 1 19:39 pass5
> crw------- 1 root operator 0, 206 Mar 1 19:39 pass6
> crw------- 1 root operator 0, 207 Mar 1 19:39 pass7
> crw-r--r-- 1 root wheel 0, 24 Mar 1 19:39 pci
> crw------- 1 root wheel 0, 194 Mar 1 19:40 pf
> crw-rw-rw- 1 root wheel 0, 25 Mar 1 19:39 ptmx
> dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 pts
> crw-rw-rw- 1 root wheel 0, 26 Mar 1 20:40 random
> cr--r--r-- 1 root wheel 0, 6 Mar 1 19:39 sndstat
> lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 stderr -> fd/2
> lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 stdin -> fd/0
> lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 stdout -> fd/1
> crw------- 1 root wheel 0, 8 Mar 1 19:39 sysmouse
> crw------- 1 root wheel 0, 38 Mar 1 19:39 ttyu0
> crw------- 1 root wheel 0, 39 Mar 1 19:39 ttyu0.init
> crw------- 1 root wheel 0, 40 Mar 1 19:39 ttyu0.lock
> crw------- 1 root wheel 0, 61 Mar 1 19:39 ttyu1
> crw------- 1 root wheel 0, 62 Mar 1 19:39 ttyu1.init
> crw------- 1 root wheel 0, 63 Mar 1 19:39 ttyu1.lock
> crw------- 1 root wheel 0, 44 Mar 1 19:40 ttyv0
> crw------- 1 root wheel 0, 45 Mar 1 19:40 ttyv1
> crw------- 1 root wheel 0, 46 Mar 1 19:40 ttyv2
> crw------- 1 root wheel 0, 47 Mar 1 19:40 ttyv3
> crw------- 1 root wheel 0, 48 Mar 1 19:40 ttyv4
> crw------- 1 root wheel 0, 49 Mar 1 19:40 ttyv5
> crw------- 1 root wheel 0, 50 Mar 1 19:40 ttyv6
> crw------- 1 root wheel 0, 51 Mar 1 19:40 ttyv7
> crw------- 1 root wheel 0, 52 Mar 1 19:39 ttyv8
> crw------- 1 root wheel 0, 53 Mar 1 19:39 ttyv9
> crw------- 1 root wheel 0, 54 Mar 1 19:39 ttyva
> crw------- 1 root wheel 0, 55 Mar 1 19:39 ttyvb
> crw------- 1 root wheel 0, 56 Mar 1 19:39 ttyvc
> crw------- 1 root wheel 0, 57 Mar 1 19:39 ttyvd
> crw------- 1 root wheel 0, 58 Mar 1 19:39 ttyve
> crw------- 1 root wheel 0, 59 Mar 1 19:39 ttyvf
> dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 ufs
> dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 ufsid
> lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen0.1 -> usb/0.1.0
> lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen1.1 -> usb/1.1.0
> lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen1.2 -> usb/1.2.0
> lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen2.1 -> usb/2.1.0
> lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen3.1 -> usb/3.1.0
> lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen3.2 -> usb/3.2.0
> lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen4.1 -> usb/4.1.0
> lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen5.1 -> usb/5.1.0
> lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen6.1 -> usb/6.1.0
> lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen7.1 -> usb/7.1.0
> lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen7.2 -> usb/7.2.0
> crw------- 1 root wheel 0, 163 Mar 1 19:39 ukbd0
> crw-r--r-- 1 root operator 0, 169 Mar 1 19:39 ums0
> crw-r--r-- 1 root operator 0, 172 Mar 1 19:39 ums1
> lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 urandom -> random
> dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 usb
> crw-r--r-- 1 root operator 0, 70 Mar 1 19:39 usbctl
> crw------- 1 root wheel 0, 69 Mar 1 19:39 vboxdrv
> crw------- 1 root wheel 0, 196 Mar 1 19:40 vboxnetctl
> crw------- 1 root operator 0, 71 Mar 1 19:39 xpt0
> crw-rw-rw- 1 root wheel 0, 23 Mar 1 19:39 zero
>
>
>
> Is it a problem in my understanding of manpage / configuration, or is it
> a bug in jail command on 9.1-RELEASE?
>
> Miroslav Lachman

It's a bug (deficiency) in the jail command.

- Jamie

More information about the freebsd-stable mailing list