diff options
author | mtm <mtm@FreeBSD.org> | 2003-08-20 06:15:18 +0000 |
---|---|---|
committer | mtm <mtm@FreeBSD.org> | 2003-08-20 06:15:18 +0000 |
commit | ca8f17fdde609d29203cfa0f308cb5fc42a02f8f (patch) | |
tree | 1401c7d38c4f23bad9b125bba53dcb61f9f0e691 /etc/defaults | |
parent | f52fd79992cfa0bd3827c16e881a6bf6d07264a3 (diff) | |
download | FreeBSD-src-ca8f17fdde609d29203cfa0f308cb5fc42a02f8f.zip FreeBSD-src-ca8f17fdde609d29203cfa0f308cb5fc42a02f8f.tar.gz |
Add a general mechanism for creating and applying
devfs(8) rules in rc(8). It is most useful for applying
rules to devfs(5) mount points in /dev or inside jails.
The following line of script is sufficient to
mount a relatively useful+secure devfs(5) in a jail:
devfs_mount_jail /some/jail/dev
Some new shell routines available to scripts that source
rc.subr(5):
o devfs_link - Makes it a little easier to create symlinks
o devfs_init_rulesets - Create devfs(8) rulesets from devfs.rules
o devfs_set_ruleset - Set a ruleset to a devfs(5) mount
o devfs_apply_ruleset - Apply a ruleset to a devfs(5) mount
o devfs_domount - Mount devfs(5) and apply some ruleset
o devfs_mount_jail - Mount devfs(5) and apply a ruleset
appropriate to jails.
Additional rulesets can be specified in /etc/devfs.rules.
If the devfs_system_ruleset variable is defined in rc.conf
and it contains the name of a ruleset defined in /etc/defaults/devfs.rules
or user supplied rulesets in /etc/devfs.rules then that ruleset will
be applied to /dev at startup by the /etc/rc.d/devfs script. It can
also be applied post-startup:
/etc/rc.d/devfs start
This is a more flexible mechanism than the previous method of using
/etc/devfs.conf. However, that method is still available.
Note: since devfs(8) doesn't provide any way for creating symlinks
as part of a ruleset, anyone wishing to create symlinks in a devfs(5)
as part of the bootup sequence will still have to rely on /etc/devfs.conf.
Diffstat (limited to 'etc/defaults')
-rw-r--r-- | etc/defaults/Makefile | 2 | ||||
-rw-r--r-- | etc/defaults/devfs.rules | 64 | ||||
-rw-r--r-- | etc/defaults/rc.conf | 4 |
3 files changed, 69 insertions, 1 deletions
diff --git a/etc/defaults/Makefile b/etc/defaults/Makefile index 3e9a52d..56e74ff 100644 --- a/etc/defaults/Makefile +++ b/etc/defaults/Makefile @@ -1,6 +1,6 @@ # $FreeBSD$ -FILES= pccard.conf periodic.conf rc.conf +FILES= devfs.rules pccard.conf periodic.conf rc.conf NOOBJ= noobj FILESDIR= /etc/defaults FILESMODE= 644 diff --git a/etc/defaults/devfs.rules b/etc/defaults/devfs.rules new file mode 100644 index 0000000..aa61899 --- /dev/null +++ b/etc/defaults/devfs.rules @@ -0,0 +1,64 @@ +# +# The following are some default rules for devfs(5) mounts. +# The format is very simple. Empty lines and lines begining +# with a hash '#' are ignored. If the hash mark occurs anywhere +# other than the beginning of a line, it and any subsequent +# characters will be ignored. A line in between brackets '[]' +# denotes the beginning of a ruleset. In the brackets should +# be a name for the rule and its ruleset number. Any other lines +# will be considered to be the 'action' part of a rule +# passed to the devfs(8) command. These will be passed +# "as-is" to the devfs(8) command with the exception that +# any references to other rulesets will be expanded first. These +# references must include a dollar sign '$' in-front of the +# name to be expanded properly. +# +# $FreeBSD$ +# + +# Very basic and secure ruleset: Hide everything. +# Used as a basis for other rules. +# +[devfsrules_hide_all=1] +add hide + +# Basic devices typically necessary. +# Requires: devfsrules_hide_all +# +[devfsrules_unhide_basic=2] +add path null unhide +add path zero unhide +add path random unhide +add path urandom unhide + +# Devices typically needed to support logged-in users. +# Requires: devfsrules_hide_all +# +[devfsrules_unhide_login=3] +add path 'ptyp*' unhide +add path 'ptyq*' unhide +add path 'ptyr*' unhide +add path 'ptys*' unhide +add path 'ptyP*' unhide +add path 'ptyQ*' unhide +add path 'ptyR*' unhide +add path 'ptyS*' unhide +add path 'ttyp*' unhide +add path 'ttyq*' unhide +add path 'ttyr*' unhide +add path 'ttys*' unhide +add path 'ttyP*' unhide +add path 'ttyQ*' unhide +add path 'ttyR*' unhide +add path 'ttyS*' unhide +add path 'fd/*' unhide +add path stdin unhide +add path stdout unhide +add path stderr unhide + +# Devices usually found in a jail. +# +[devfsrules_jail=4] +add include $devfsrules_hide_all +add include $devfsrules_unhide_basic +add include $devfsrules_unhide_login diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index b247b32..be380f2 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -434,6 +434,10 @@ jail_set_hostname_allow="YES" # Allow root user in a jail to change its hostname jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail jail_sysvipc_allow="NO" # Allow SystemV IPC use from within a jail watchdogd_enable="NO" # Start the software watchdog daemon +devfs_rulesets="/etc/defaults/devfs.rules /etc/devfs.rules" # Files containing + # devfs(8) rules. +devfs_system_ruleset="" # The name of a ruleset to apply to /dev + ############################################################## ### Define source_rc_confs, the mechanism used by /etc/rc.* ## |