PEFS Inside Jail, "Operation not Permitted"

Made a post earlier about theoretical hidden directories attack vectors and PEFS. This is a simple question about a problem I'm having.

Inside a jail. With allow.mount; and enforce_statfs="0"; in /etc/jail.conf, I am getting the error message
Code:
root@jail:/home/user # ls -I
test
root@jail:/home/user # pefs mount test test
pefs mount: test: Operation not permitted

Running mount inside the jail shows all mounts on host (obviously since I set allow.mount and enforce_statfs=0). kldstat shows pefs loaded. Not sure what I'm missing here.
 
PEFS is designed to be used by the user, not by root? vfs.usermount=1 in sysctl.conf(5).

vfs.usermount=1 didn't work for me. I've tried both root and normal user. I added verbose and I get an output like this:
Code:
user@personal:~ # pefs mount -v test test
pefs mount: test: Operation not permitted
zroot/jails/personal on /jails/personal (zfs, local, noatime, nfsv4acls)

Really stumped here. I'm sure it's something simple. I tried other jails too, same results.
 
  • Did you set allow.mount.devfs & devfs_ruleset in jail.conf(5)?
  • Maybe pefs(8) is not "jail clean". Can you mount as user from within the host?
  • I'm not familiar with the internals of pefs(8), but I would try allow.mount.fusefs and/or allow.mount.nullfs in jail.conf(5), because pefs(5) might use these mechanisms.
  • Consider to ask the author via e-mail (manpage).
 
I dropped this issue for about a year, but decided to play around with it again recently. Writing this for posterity ...

If you want to get PEFS working inside of a jail, you need to start the jail, and then from the host machine, pefs mount the directory into an already mounted jail directory" pefs mount /jails/myjail/encrypted_directory /jails/myjail/encrypted_directory, and then pefs addkey -c /jails/myjail/encrypted_directory. This will make the files viewable from inside the running jail.

I tried to enable all the permissions that I could for everything possible inside the jail; but non of it seemed to work. I'm still not sure how to enable a jail to mount filesystems; seeing as how the jail can't exactly see the host filesystem and directory structure. I guess that's for another post; but I know the answer is always to put your mounts in the jail's fstab.
 
Top