Solved How to mount a USB drive in a jail?

[tOsYZYny]

I have these sysctls set:

security.jail.mount_allowed=1
security.jail.mount_zfs_allowed=1
security.jail.mount_devfs_allowed=1
security.jail.mount_procfs_allowed=1
security.jail.mount_nullfs_allowed=1
security.jail.mount_tmpfs_allowed=1
security.jail.mount_fusefs_allowed=1

In my jail configuration, I have:

devfs_ruleset="210";

allow.mount=1;
allow.mount.procfs=1;
allow.mount.zfs=1;
enforce_statfs=1;

allow.mount.fusefs=1;

devfs.rules

[jail_devfs=210]
add path da* unhide

I can see the da0 device in the jail; however, when I try to mount it as root, I get:

mount /dev/da0s2a /mnt/usb
mount: /dev/da0s2a: Operation not permitted

Now, oddly enough, the sysctl params are showing as 0, which doesn't seem right to me:
sysctl -a | grep mount

vfs.zfs.allow_redacted_dataset_mount: 0
vfs.ffs.compute_summary_at_mount: 0
vfs.root_mount_hold:
vfs.root_mount_always_wait: 0
vfs.usermount: 0
security.jail.mount_zfs_allowed: 1
security.jail.mount_devfs_allowed: 0
security.jail.mount_procfs_allowed: 1
security.jail.mount_nullfs_allowed: 0
security.jail.mount_tmpfs_allowed: 0
security.jail.mount_fusefs_allowed: 1
security.jail.param.zfs.mount_snapshot: 0
security.jail.param.allow.mount.zfs: 0
security.jail.param.allow.mount.devfs: 0
security.jail.param.allow.mount.procfs: 0
security.jail.param.allow.mount.nullfs: 0
security.jail.param.allow.mount.tmpfs: 0
security.jail.param.allow.mount.fusefs: 0
security.jail.param.allow.mount.: 0
security.jail.mount_allowed: 1

I should also mention that both the host / base system and jail are using secure_level = 2. I can mount the volume just fine on the host though.

What else is required for this to work in the jail?

I want to be able to do this in the jail so that I can leave the base system as just platform to run jails. Eventually, I'd like to try to see if I can get mtpfs working too.

 

[SirDice]

I have these sysctls set:

Don't set these, they're all deprecated in favor of per-jail settings.

devfs.rules

Not entirely sure but I think you also need to allow access to the various /dev/pass* devices.

 

[tOsYZYny]

I just added pass* in my devfs rules, restarted devfs and am able to see /dev/pass* in the jail, but still cannot mount the USB drive with the same error.

 

[SirDice]

I just added pass* in my devfs rules, restarted devfs and am able to see /dev/pass* in the jail, but still cannot mount the USB drive with the same error.

Try restarting the jail itself.

 

[tOsYZYny]

Nope, that still didn't work.

 

[tOsYZYny]

I suspect that because I am using secure level 2, that I cannot load msdosfs ... let me try force loading that at boot ...

That was not it, I have msdosfs built into the kernel.

 

[tOsYZYny]

So, I can mount mtp via jmtpfs (fuse), but cannot mount ufs or msdosfs. I think I read somewhere that certain filesystems are supported and others were not. I'm surprised mtp works and msdos or ufs don't.

allow.mount;
allow.mount.devfs;
allow.mount.fusefs;
allow.mount.nullfs;
allow.mount.procfs;
allow.mount.tmpfs;
allow.mount.zfs;