devfs_ruleset is broken

[avonix]

Setting it to anything other than the default value disables all restrictions. Any idea why? Am I doing it wrong perhaps?

{
//
devfs_ruleset=(rule number);
mount.devfs;
//
}

 

[avonix]

How do I bump my threads? The problem still persists, jailing is literally broken right now.

 

[DutchDaemon]

You do not do it by posting the word 'bump'. You do it by adding additional information, additional log files, or an additional description of what you tried in the meantime.

 

[avonix]

Here is how jail's /dev looks like by default (mount.devfs):

dr-xr-xr-x  2 root  wheel   512 Aug  5 16:33 fd
crw-rw-rw-  1 root  wheel  0x29 Aug  5 16:33 null
dr-xr-xr-x  2 root  wheel   512 Aug  5 16:33 pts
crw-r--r--  1 root  wheel   0x8 Aug  5 15:43 random
lrwxr-xr-x  1 root  wheel     4 Aug  5 16:33 stderr -> fd/2
lrwxr-xr-x  1 root  wheel     4 Aug  5 16:33 stdin -> fd/0
lrwxr-xr-x  1 root  wheel     4 Aug  5 16:33 stdout -> fd/1
lrwxr-xr-x  1 root  wheel     6 Aug  5 16:33 urandom -> random
crw-rw-rw-  1 root  wheel  0x2a Aug  5 15:43 zero

If I set devfs_ruleset to a custom value (except 4) I can see every device file there. Rulesets does not apply at all.

 

[tingo]

Try reading the devfs manual pages again, starting with devfs.rules(5).

 

[sidetone]

If I set devfs_ruleset to a custom value (except 4) I can see every device file there.

Ruleset 4 includes the other rulesets. When I tried setting a ruleset that included others in the jail, it didn't work. When I wrote out every ruleset needed from 1 through 3, and 4 out, instead of including those rulesets, in a custom ruleset, it worked.

It's like includes don't work from there, but writing the included rulesets out from the custom ruleset worked. I don't understand this enough to go further, as I just write them all out manually, instead of including the other rulesets.

 

[avonix]

Ruleset 4 includes the other rulesets. When I tried setting a ruleset that included others in the jail, it didn't work. When I wrote out every ruleset needed from 1 through 3, and 4 out, instead of including those rulesets, in a custom ruleset, it worked.

It's like includes don't work from there, but writing the included rulesets out from the custom ruleset worked. I don't understand this enough to go further, as I just write them all out manually, instead of including the other rulesets.

That doesn't work either. Is this looking correct?

[devfsrules_custom=99]
add hide
add path null unhide
add path zero unhide
add path random unhide
add path urandom unhide

Try reading the devfs manual pages again, starting with devfs.rules(5).

manpages didn't helped much.

 

[avonix]

My problem still persists. Can someone post how their jail /dev tree looks like with this config?

j {
mount.devfs;
devfs_ruleset = 4;
persist;
path = "pathToJail";
}

 

[T-Daemon]

No problem here on 13.1-RELEASE.

Have you restarted the hosts devfs service after editing /etc/devfs.rules and before starting the jail?

... Is this looking correct?

[devfsrules_custom=99]
add hide
add path null unhide
add path zero unhide
add path random unhide
add path urandom unhide

Above rules works for me, as is or with reference to devfsrules_hide_all instead of add hide:

crw-rw-rw-  1 root  wheel     0x29 Aug 18 02:26 null
crw-r--r--  1 root  wheel      0x8 Aug 18 02:11 random
lrwxr-xr-x  1 root  wheel        6 Aug 18 02:27 urandom@ -> random
crw-rw-rw-  1 root  wheel     0x2a Aug 18 02:11 zero