new jail(8) ignoring devfs_ruleset?

[Jamie Gritton]

On 02/18/13 01:54, Harald Schmalzbauer wrote:
>   schrieb Jamie Gritton am 16.02.2013 00:40 (localtime):
>> On 02/15/13 09:27, Harald Schmalzbauer wrote:
>>>    Hello,
>>>
>>> like already posted, on 9.1-R, I highly appreciate the new jail(8) and
>>> jail.conf capabilities. Thanks for that extension!
>>>
>>> Accidentally I saw that "devfs_ruleset" seems to be ignored.
>>> If I list /dev/ I see all the hosts disk devices etc.
>>> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf.
>>>     Inside the jail,
>>> sysctl security.jail.devfs_ruleset returnes "1".
>>> But like mentioned, I can access all devices...
>>>
>>> Thanks for any help,
>>>
>>> -Harry
>>
>> devfs_ruleset is only used along with mount.devfs - do you also have
>> that set in jail.conf?
>
> Thanks for your response.
>
> Yes, I have mount.devfs; set.
> Otherwise I wouldn't have any device inside my jail. Verified - and like
> intended, right?
> Another notable discrepancy: The man page tells that devfs_rulset is "4"
> by default.
> But when I don't set devfs_rulset in jail.conf at all, inside the jail,
> 'sysctl security.jail.devfs_ruleset': 0
> When set, like mentioned above, it returns the corresponding value, but
> it doesn't have any effect.
> How gets devfs_rulset handled? Does jail(8) do the whole job? I'd like
> to help finding the source, but have missed the whole new jail evolution...
> Inside my jails, I don't have a fstab, outside I have them defined and
> enabled with "mount" - and noticed the non-reverted umounting.

I found the problem - I noticed you mentioned 9.1-R, and took a look at
devfs(5). On CURRENT, there's a mount option "ruleset", that isn't there
on 9.

So I'll have to get around it by running devfs(8) after the mount. I'll
work on a patch for that.

- Jamie