Solved Caramba! Device makes it into a jail AFTER I explicitly hid it on jail start

[loveydovey]

Okkkk, this is so dangerous. I did "add hide" for all devices before starting a jail and then whitelisted a couple of devices I need.

Then, some time later ukbd0 and kbd2 miraculously appear in the jail!

This seems crazy. Can a jail make sure nothing get added to it dynamically after it is started?! I assumed that was the default behavior.

 

[loveydovey]

More devices are making it into the jail now. I unplugged/plugged my keyboard back in and ugen0.2 -> usb/0.2.0 hopped into my jail.

 

[loveydovey]

I obviously have allow.mount.devfs in jail configuration.

 

[loveydovey]

This is now very bizarre.

Before: mount devfs and apply a ruleset that hides all and whitelists some devices. The jail works, only see the devices I want when I start it, the application works and connects to the internet.

After: do not mount devfs, don't use ruleset, add the very same devices I whitelisted before statically using cp -Rp to the jail_root/dev/ folder. The jail works, I see the devices I statically linked, but the application's internet connectivity does not function.

Does anyone know what's wrong with this?

 

[loveydovey]

I tried using cp -Rp, I tried mknod, I tried ln -sf, nothing works.

I narrowed it down to /dev/null being the issue. If I use mknod jail_root/dev/null c 0 20, firefox does load, but it does not have any internet connectivity. If I just mount devfs and whitelist /dev/null, firefox has internet connectivity. I checked permissions and everything looks the same for jail_root/dev/null when it is mounted with mknod.

This is really strange. Why won't static /dev/null work just like if it's mounted as part of devfs??? Helpppp

 

[loveydovey]

Static linking of devices to jail's /dev/ does not work, we must only work with devfs.

I don't understand this - it seems that devfs should scan the rules on new device attach events and hide new devices based on the jail's ruleset that's applied to the jail's mounted /dev. Could someone confirm whether this is how it's supposed to work? It doesn't seem to work for my ephemeral jail.

 

[loveydovey]

O. M. G.

It turns out that you must add mount.devfs and devfs_ruleset to the jail's parameters. Then, the ruleset will be applied to the jail on any new events.

What I was doing I was mounting devfs and applying the ruleset manually before starting the jail. That was getting me a filtered /dev/ on the jail, but the jail didn't know it needed to apply a ruleset on any devfs events.

Problem solved. Whew! So relieved. FreeBSD is so powerful.