Hi there,
is it intentional that rc.d/jail does not load the default devfs rulesets on
current and 10.0? It used to work like this on 9.x and earlier, now you have to
explicitly load them (e.g. with devfs_load_rulesets in rc.conf).
If you do not do this, ruleset 4 (devfsrules_jail) will just be created and
left empty on mount of the in-jail /dev, making the normal set of device nodes
available. That is quite an easy escape path :)
This does not seem to be documented anywhere and is somewhat surprising, so I
suspect it is an oversight? Apart from that I really like the work on
jail.conf, thanks a lot!
While looking around in the docs, I also noticed that jail(8) has contradicting
info on the default ruleset for jails:
devfs_ruleset: "A value of zero (default) means no ruleset is enforced."
mount.devfs: “[…] or a default of ruleset 4: devfsrules_jail […]”
The latter seems to be correct, though it will probably be an empty ruleset as
described above.
Best wishes,
Jan
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[email protected]"
