Regular user mounting via fusefs in a jail

Daniel LaFlamme · Jan 27, 2016

I have a host called "host" and a jail running on that host called "jail" I am trying to allow a regular user logged in interactively inside the jail to use fusefs to mount an iso, through the archivemount program.

On host:

Code:

host# sysctl vfs.usermount
vfs.usermount: 1
host# sysctl security.jail.enforce_statfs
security.jail.enforce_statfs: 1
host# sysctl security.jail.mount_allowed
security.jail.mount_allowed: 1
host#

host# kldstat
Id Refs Address  Size  Name
 1  79 0xffffffff80200000 1513000  kernel
 2  1 0xffffffff819de000 fe03c  ispfw.ko
 3  1 0xffffffff81c12000 48ff  geom_stripe.ko
 4  1 0xffffffff81c17000 10568  geom_raid3.ko
 5  1 0xffffffff81c28000 102dd  geom_raid5.ko
 6  1 0xffffffff81c39000 5826  geom_gate.ko
 7  1 0xffffffff81c3f000 4a1c  geom_multipath.ko
 8  1 0xffffffff81c44000 b1a  dtraceall.ko
 9  1 0xffffffff81c45000 4ed6  profile.ko
10  3 0xffffffff81c4a000 3564  cyclic.ko
11  10 0xffffffff81c4e000 3466f  dtrace.ko
12  1 0xffffffff81c83000 fef0  systrace_freebsd32.ko
13  1 0xffffffff81c93000 10be4  systrace.ko
14  1 0xffffffff81ca4000 4ade  sdt.ko
15  1 0xffffffff81ca9000 48eb  lockstat.ko
16  1 0xffffffff81cae000 b664  fasttrap.ko
17  1 0xffffffff81cba000 6697  fbt.ko
18  1 0xffffffff81cc1000 556b  dtnfscl.ko
19  1 0xffffffff81cc7000 458e  dtmalloc.ko
20  1 0xffffffff81ccc000 8869  ipmi.ko
21  1 0xffffffff81cd5000 336a0  if_cxgbe.ko
22  2 0xffffffff81d09000 2bb1  vboxnetflt.ko
23  2 0xffffffff81d0c000 46f6c  vboxdrv.ko
24  1 0xffffffff81d53000 44f8  ng_ether.ko
25  1 0xffffffff81d58000 400a  vboxnetadp.ko
26  1 0xffffffff81d5d000 92cb  fuse.ko
host#

Here is what happens when I try to mount the iso on jail as a regular user:

Code:

jail% archivemount file.iso ./mnt
fuse: failed to open fuse device: Permission denied
jail%

And what happens when I try to mount the ISO on jail as root:

Code:

jail# archivemount file.iso ./mnt2
mount_fusefs: /dev/fuse on /mnt/dan/content/test/mnt2: Operation not permitted
fuse: failed to mount file system: No such file or directory
jail#

Where mnt is owned by the regular user and mnt2 is owned by root. Both are directories.

Any suggestions on how to debug further?

SirDice · Jan 27, 2016

You probably need to modify devfs(8) rules, most devices are hidden for jails.

Daniel LaFlamme · Jan 30, 2016

I think the devfs(8) rules are correct. I can see the device in devfs(8) from the jail:

Code:

jail% ls -l /dev/fuse
crw-rw----  1 root  operator  0xd0 Jan 30 22:32 /dev/fuse
jail%

I get the same error message when I try the archivemount(1) command as the regular user or as root. My regular use is a member of the operator group.

Anything else I can try?

Daniel LaFlamme · Feb 9, 2016

Just spent a bit of time checking things to try to get this to work and I still get "Operation not permitted." In addition to what I tried before, this time I tried mount_cd9660 directly (instead of using archivemount):

jail% mount_cd9660 file.iso ./mnt

Code:

mount_cd9660: file.iso: Operation not permitted

Similarly, I tried using sshfs to ensure I got the same error as I got when trying to mount the ISO:
jail% sshfs dan@otherhost:/home/dan $(pwd)/mnt

Code:

mount_fusefs: /dev/fuse on /mnt/dan/content/test/mnt: Operation not permitted
fuse: failed to mount file system: No such file or directory

I feel like I've checked everything and am not sure what is blocking access. A couple of questions:

a) With devfs, if I can see the device inside the jail (with ls -l) and it has rw permissions for the group my regular user is a member of, does that necessarily mean that the devfs fules are set up correctly?
b) Is there some sort of tracing/enhanced logging I can enable to narrow in on what is causing the Operation not permitted?

FYI, here are some sysctls that are set (viewed from inside the jail):

Code:

security.jail.devfs_ruleset: 100
security.jail.enforce_statfs: 1
security.jail.mount_zfs_allowed: 0
security.jail.mount_procfs_allowed: 0
security.jail.mount_nullfs_allowed: 0
security.jail.mount_devfs_allowed: 1
security.jail.mount_allowed: 1
security.jail.chflags_allowed: 1
security.jail.allow_raw_sockets: 1
security.jail.sysvipc_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 1
security.jail.jail_max_af_ips: 255
security.jail.vnet: 1
security.jail.jailed: 1

Where devfs_ruleset 100 looks like (in /etc/devfs.rules):

Code:

[fuserules=100]
add path 'fuse*' mode 660 group operator

And I have the following in /etc/devfs.conf:

Code:

own fuse root:eek:perator
perm fuse 0660

pyakex · Aug 14, 2016

I am having a similar problem. Did you have any luck solving this?

Remington · Aug 14, 2016

You could probably mount the iso in host and do a hardlink to user's jail. That's one way of solving this until a permanent solution is found.

tobik@ · Aug 14, 2016

Hard links don't work across file system boundaries / mount points. Maybe with mount_nullfs?

logicue · Aug 10, 2017

Anyone who found a solution for this problem ?

binzyw · Dec 9, 2017

Anyone solved this issue?

n1ck1355 · Oct 1, 2020

Hey There

I just registered and have currently the same Problem in Freebsd 12.1
I just want to mount sshfs inside jail and have the sysctls activated as mentioned in some tutorials.

I get the same error as OP:
mount_fusefs: /dev/fuse on /usr/local/mnt: Operation not permitted

Regular user mounting via fusefs in a jail

Administrator