From 1626913ed14bc2163e16ddb8e183c16020a65498 Mon Sep 17 00:00:00 2001 From: mm Date: Thu, 9 Feb 2012 10:22:08 +0000 Subject: Add support for mounting devfs inside jails. A new jail(8) option "devfs_ruleset" defines the ruleset enforcement for mounting devfs inside jails. A value of -1 disables mounting devfs in jails, a value of zero means no restrictions. Nested jails can only have mounting devfs disabled or inherit parent's enforcement as jails are not allowed to view or manipulate devfs(8) rules. Utilizes new functions introduced in r231265. Reviewed by: jamie MFC after: 1 month --- usr.sbin/jail/jail.8 | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'usr.sbin') diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index c5a2245..5cd77fc 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -34,7 +34,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 23, 2011 +.Dd February 9, 2012 .Dt JAIL 8 .Os .Sh NAME @@ -301,6 +301,17 @@ A jail never has a lower securelevel than the default system, but by setting this parameter it may have a higher one. If the system securelevel is changed, any jail securelevels will be at least as secure. +.It Va devfs_ruleset +The number of the devfs ruleset that is enforced for mounting devfs in +this jail and its descendants. A value of zero means no ruleset is enforced +or if set inside a jail for a descendant jail, the parent jails's devfs +ruleset enforcement is inherited. A value of -1 (default) means mounting a +devfs filesystem is not allowed. Mounting devfs inside a jail is possible +only if the +.Va allow.mount +permission is effective and +.Va enforce_statfs +is set to a value lower than 2. .It Va children.max The number of child jails allowed to be created by this jail (or by other jails under this jail). -- cgit v1.1