enforce_statfs showing leading path
Mateusz Guzik
mjguzik at gmail.com
Tue Jan 8 20:14:40 UTC 2019
On 1/8/19, Michael W. Lucas <mwlucas at michaelwlucas.com> wrote:
> Hi,
>
> I'm experimenting with enforce_statfs for the jails book, and have hit
> an inconsistency. Not sure if the bug should go to src or doc. Running
> last week's -current.
>
> According to jail(8):
>
> When set to 1, only mount points below the jail's chroot
> directory are visible. In addition to that, the path to the
> jail's chroot directory is removed from the front of their
> path‐
> names.
>
> Seems pretty clear that I shouldn't see anything other than
>
> # jls -h name enforce_statfs
> ...
> ioc-www1 1
>
> So, as I read it, the jail's chroot directory should be stripped down
> to /. But inside the jail:
>
> root at www1:~ # mount
> iocage/iocage/jails/www1/root on / (zfs, local, nfsv4acls)
> devfs on /dev (devfs, local, multilabel)
> fdescfs on /dev/fd (fdescfs)
>
> I see the jail's chroot directory.
>
> This seems to contradict the man page, unless I'm misunderstanding.
>
> Is this a software bug? A ZFS thing? A doc bug? Or am I just an idiot?
>
> Also, should this path be stripped when enforce_statfs is set to 1 *or
> above*? Or is this strictly when set to 1? If I'm filing a bug, it
> might as well be complete...
>
The "path" you are seeing is dataset name, which you made to resemble
the mount point.
Whether full dataset name should be exposed or not is a very different
question, does illumos do it?
Worst case it should be trivial to add a sysctl to just obfuscate the name.
--
Mateusz Guzik <mjguzik gmail.com>
More information about the freebsd-jail
mailing list