jails Strange behavior with "devfs_ruleset"

I

ikevin8me

I've noticed a strange problem with setting"devfs_ruleset" in jail.conf.

In jail.conf:

Code: 
testjail {
  host.hostname = testjail;
  devfs_ruleset = 27;
#note: with no other configuration for this jail
}

Note: ruleset 27 does NOT exist - I've checked in /etc/defaults/devfs.rules and /etc/devfs.rules. In fact, I can set ruleset 6, 7, 9 etc which all don't exist and produces the same result.

The jail does get started. And from inside the jail, I can go to "cd /dev" and "ls" and it shows many devices.

If I removed "devfs_ruleset = 27;", and restart the jail, "cd /dev" and 'ls" will not show those devices.

The strange thing is I can set "devfs_ruleset" to ANY NUMBER, and inside the jail, "cd /dev" and 'ls" will show many devices.

To test "devfs_ruleset = 27" is indeed being read correctly, I've changed it to "-1" and there is a error upon restarting the jail.

I don't understand why I can set a ruleset for a jail to any number, and by doing so, it will expose all devices to the jail.
 
ikevin8me said:
I don't understand why I can set a ruleset for a jail to any number, and by doing so, it will expose all devices to the jail.
Click to expand...
If it's a non-existing rule then no rules can be applied, thus you get to see all the devices. If you do not set a rule the default devfsrules_jail or devfsrules_jail_vnet gets applied. Both of these will hide pretty much all devices.

A bit of pseudo code:
Code: 
if -n devfs_ruleset then
  apply devfs_ruleset
else 
  apply devfsrules_jail
 
Thanks for your reply! I'm quite surprised...
So, is there a way to query a jail (to print out) which ruleset has been loaded?
 
You must log in or register to reply here.
Back
Top