Solved jails - Accessing devices from Bastille

sidetone

Daemon

Reaction score: 907
Messages: 1,856

How do I make devices in /dev/ accessible inside a Bastille jail?

When I have two sets of rules, how do I set this in rc.conf.local, from within the host system?
Code:
devfs_system_ruleset="localrules"
How would bastille also get referenced with this?

In devfs.rules of the host (not within the jail), I have:
Code:
[localrules=10]
add path 'dri/*'        mode 0666 group video
add path 'drm/*'        mode 0666 group video
add path 'da*'          mode 0771 group operator
add path 'cd0'          mode 0775 group operator
add path 'fuse'         mode 0755 group operator
add path 'usb/*'     mode 0755 group operator
add path 'unlpt*'       mode 0755 group cups
add path 'ulpt*'        mode 0775 group cups

[bastille=11]
add path 'mixer*' unhide

I don't understand what makes it apply to the jail, and to the jail file system. Also, how is the number in the headings applicable to the set of rules?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,285
Messages: 38,796

You set it on the jail definition.
Code:
     devfs_ruleset
             The number of the devfs ruleset that is enforced for mounting
             devfs in this jail.  A value of zero (default) means no ruleset
             is enforced.  Descendant jails inherit the parent jail's devfs
             ruleset enforcement.  Mounting devfs inside a jail is possible
             only if the allow.mount and allow.mount.devfs permissions are
             effective and enforce_statfs is set to a value lower than 2.
             Devfs rules and rulesets cannot be viewed or modified from inside
             a jail.
See jail(8)
 
OP
sidetone

sidetone

Daemon

Reaction score: 907
Messages: 1,856

/etc/sysctl.conf:
Code:
security.jail.mount_allowed=1
security.jail.mount_devfs_allowed=1
Also through sysctl.

rc.conf:
Code:
devfs_system_ruleset="localrules"
devfs_jail_ruleset="name"
In this ruleset, I label it as "jail" not "bastille"?

devfs.rules:
Code:
[name=11]
add include $devfsrules_hide_all
add path 'mixer*' unhide
This applies to jails, because of the argument in rc.conf? The number 11 doesn't matter, except for order, and that it doesn't take up another used number for devfs?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,285
Messages: 38,796

Throught sysctl.
Keep in mind those are deprecated in favor of per jail settings (allow.mount and allow.mount.devfs).
Code:
root@hosaka:~ # sysctl -d security.jail.mount_allowed
security.jail.mount_allowed: Processes in jail can mount/unmount jail-friendly file systems (deprecated)
root@hosaka:~ # sysctl -d security.jail.mount_devfs_allowed
security.jail.mount_devfs_allowed: Jail may mount the devfs file system (deprecated)

You assign a certain rule set to a jail like this:
Code:
           testjail {
                   path = /tmp/jail/testjail;
                   mount.devfs;
                   devfs.ruleset = 11;                # <- sets the ruleset to apply to this jail
                   host.hostname = testhostname;
                   ip4.addr = 192.0.2.100;
                   interface = em0;
                   exec.start = "/bin/sh /etc/rc";
                   exec.stop = "/bin/sh /etc/rc.shutdown jail";
           }
 
OP
sidetone

sidetone

Daemon

Reaction score: 907
Messages: 1,856

I was about to create and edit /etc/jail.conf.

It's at /usr/local/bastille/jails/[myjail]/jail.conf. It looks like a lot is here to set it. For reference, there's an fstab in this directory as well. The actual jail is the next directory down.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,285
Messages: 38,796

I honestly didn't realize you were referring to sysutils/bastille. I'm somewhat tainted by various security books and documentation. A Bastille host is, in security parlance, a (security) hardened host. And I honestly thought you were setting that up using a jail. I didn't realize it was also the name of a tool to set up jails. Looks good, I might actually try it myself too (I've been looking for a good ezjail alternative).
 
OP
sidetone

sidetone

Daemon

Reaction score: 907
Messages: 1,856

Was Napoleon kept in a bastille?

I'll update my progress later. Also, so someone who reads this can get hints on what to do.


There wasn't enough documentation for this there.
 
OP
sidetone

sidetone

Daemon

Reaction score: 907
Messages: 1,856

I edited /usr/local/bastille/jails/[myjail]/jail.conf, on this line: devfs_ruleset=.

The number was changed according to what's in my host directory of /etc/defaults/devfs.rules. [the jail directory had the same entries.]

In the sysutils/bastille jail, the devices showed up in /dev/ according to this ruleset setting.


With this, I got audio/sox to play music from the command-line in the jail. Still more work to do for running graphical programs within bastille, and using packages built from bastille on my host system, which is for another thread.
 
Last edited:

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,285
Messages: 38,796

I edited /usr/local/bastille/jails/[myjail]/jail.conf, on this line: devfs.ruleset=.
I've been playing around with sysutils/bastille now, you can set this with bastille config <jailname> set devfs.ruleset="<rule>". You don't need to edit those files by hand.
 
OP
sidetone

sidetone

Daemon

Reaction score: 907
Messages: 1,856

Corrections:
  • devfs_ruleset=4. It was a "_", not a "."
  • jail.conf references host devfs.rules to set /dev/ permissions. The jail devfs.rules matched the one on host, but it's not the jail one.
I edited my posts above to correct these.
 
Last edited:
Top