https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=152465
--- Comment #5 from Andrey Zholos <a...@q-fu.com> --- The same thing can still happen. Below is an updated scenario for 11.0-CURRENT. Perhaps it's not a likely scenario but it did happen to me once five years ago. I'd suggest not starting the jail if the configured devfs_ruleset doesn't exist, but someone might do that on purpose and configure the rules in exec.prestart. Another option is for the devfs.rules parser to attempt to load subsequent rulesets after an error, or just documenting that important rulesets go first. How-To-Repeat: Install cups, following pkg-message to set up devfs: # pkg install -y cups # cat >>/etc/devfs.rules [system=10] add path 'usb*' mode 0770 group cups add path 'ugen*' mode 0660 group cups ^D Create jail: # cat >>/etc/devfs.rules [sandbox=100] add hide ^D # cat >>/etc/jail.conf sandbox { path = /sandbox; ip4.addr = 10.1.1.1; mount.devfs; devfs_ruleset = 100; exec.start = "/dd if=/dev/ada0 of=ada0_copy count=1"; } ^D # cat >>/etc/rc.conf jail_enable=YES ^D # mkdir /sandbox /sandbox/dev # cp /rescue/dd /sandbox/ Reboot. Jailed command can't access /dev/ada0: # ls /sandbox dd dev Uninstall cups, following the suggestion to remove the user (which removes the cups group): # pkg delete -y cups-base ==> You should manually remove the "cups" user. # rmuser -y cups Reboot. There's a console warning: devfs rule: error converting to integer: cups /etc/rc: WARNING: devfs_init_rulesets: could not read rules from /etc/devfs.rules But the jailed command starts anyway and can now access /dev/ada0: # ls /sandbox ada0_copy dd dev -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"