new jail(8) ignoring devfs_ruleset?

Jamie Gritton jamie at FreeBSD.org
Fri Mar 22 00:46:59 UTC 2013 

On 03/21/13 18:20, Miroslav Lachman wrote:
> Jamie Gritton wrote:
>> On 03/21/13 17:59, Miroslav Lachman wrote:
>>> Jeremie Le Hen wrote:
>>>> On Mon, Feb 18, 2013 at 09:54:42AM +0100, Harald Schmalzbauer wrote:
>>>>> schrieb Jamie Gritton am 16.02.2013 00:40 (localtime):
>>>>>> On 02/15/13 09:27, Harald Schmalzbauer wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> like already posted, on 9.1-R, I highly appreciate the new jail(8)
>>>>>>> and
>>>>>>> jail.conf capabilities. Thanks for that extension!
>>>>>>>
>>>>>>> Accidentally I saw that "devfs_ruleset" seems to be ignored.
>>>>>>> If I list /dev/ I see all the hosts disk devices etc.
>>>>>>> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf.
>>>>>>> Inside the jail,
>>>>>>> sysctl security.jail.devfs_ruleset returnes "1".
>>>>>>> But like mentioned, I can access all devices...
>
> [...]
>
>>> I can confirm mentioned problem on my FreeBSD 9.1-RELEASE amd64 GENERIC
>>>
>>> I am now testing new jail.conf possibilities and I am seeing all devices
>>> in /dev in jail.
>>>
>>> Even if I set all this in my jail.conf
>>>
>>> exec.start = "/bin/sh /etc/rc";
>>> exec.stop = "/bin/sh /etc/rc.shutdown";
>>> exec.clean;
>>> mount.devfs;
>>> devfs_ruleset = 4;
>>> allow.set_hostname = false;
>>>
>>> path = "/vol0/jail/$name";
>>> exec.consolelog = "/var/log/jail/$name.console";
>>> mount.fstab = "/etc/fstab.$name";
>>>
>>> ## Jail bali
>>> bali {
>>> host.hostname = "bali.XXXXXXX.YY;
>>> ip4.addr = xx.xx.xx.xx;
>>> devfs_ruleset = 4;
>>> }
>
> [...]
>
>>> Is it a problem in my understanding of manpage / configuration, or is it
>>> a bug in jail command on 9.1-RELEASE?
>>
>> It's a bug (deficiency) in the jail command.
>
> Is there a workaround or is it impossible to use jails with devfs on
> FreeBSD 9.1?
> Shouldn't it be mentioned in 9.1 errata?
>
> Is it fixed in stable/9?
>
> Thank you for your reply and your great work on new jails!

It's not fixed anywhere yet - it sometimes works in current, and
sometimes doesn't. I've been meaning to patch it up, but it the problem
is what I think it is, the patching up is a pretty big operation.

It doesn't mean you can't use jails with devfs in 9.1, just that you
can't use them with jail.conf. The old jail rc file that's all
shell-based is still the official jail startup method, and that one
still works. So existing systems will still work as expected, hence no
errata.

- Jamie

More information about the freebsd-stable mailing list