Jails & mounts

jlgerfen

jlgerfen

I am attempting to mount an ISO with specific options inside a jail.

I first created a new black iso
Code: 
dd if=/dev/zero of=file.iso bs=1024 count=102040

Then put on ext2fs on it
Code: 
mke2fs file.iso

Ensure rc.conf & sysctl.conf allow for mounts
Code: 
jail_name_mount_enable="YES"

Code: 
security.jail.mount_allowed=1

Created a simple startup script to handle mdconfig on the ISO
Code: 
#!/bin/sh

# PROVIDE: jail_mount
# BEFORE: DAEMON

. /etc/rc.subr

name=jail_mount
rcvar=jail_mount_enable

start_cmd="${name}_start"
stop_cmd="${name}_stop"

load_rc_config $name

eval "${rcvar}=\${${rcvar}:-'NO'}"

jail_mount_start()
{
        /sbin/mdconfig -a -t vnode -f /jail/file.iso -u 0
}

jail_mount_stop()
{
        /sbin/mdconfig -d -u 0
        /bin/unlink /dev/md0
}
run_rc_command "$1"

And accounted for it within the jail's fstab.name
Code: 
# Device        Mountpoint              FStype  Options Dump                    Pass#
/dev/md0        /jail/tmp   ext2fs  rw,nosuid,noexec,nosymfollow    0       0

I must be missing something... outside of the jail:
Code: 
/dev/md0 on /jail/tmp (ext2fs, local, noexec, nosuid, nosymfollow)

And inside the jail:
Code: 
# jexec 1 mount
/dev/ada0p2 on / (ufs, local, journaled soft-updates)

What am I missing?
 
Code: 
dice@molly:~> sysctl security.jail.enforce_statfs
security.jail.enforce_statfs: 2

From jail(8):
Code: 
     enforce_statfs
             This determines which information processes in a jail are able to
             get about mount points.  It affects the behaviour of the follow-
             ing syscalls: statfs(2), fstatfs(2), getfsstat(2) and fhstatfs(2)
             (as well as similar compatibility syscalls).  When set to 0, all
             mount points are available without any restrictions.  When set to
             1, only mount points below the jail's chroot directory are visi-
             ble.  In addition to that, the path to the jail's chroot direc-
             tory is removed from the front of their pathnames.  When set to 2
             (default), above syscalls can operate only on a mount-point where
             the jail's chroot directory is located.
 
doh

Well that worked and I can now see the options I am attempting to use on the mount within the jail.

Code: 
# jexec 1 mount
/dev/ada0p2 on / (ufs, local, journaled soft-updates)
/dev/md0 on /tmp (ext2fs, local, noexec, nosuid, nosymfollow)
devfs on /dev (devfs, local, multilabel)

Perhaps I am missing something but when created symlinks within the /tmp partition the jail still follows them.
 
You must log in or register to reply here.
Back
Top