From nobody@FreeBSD.org  Sun Nov 21 23:17:37 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 455D11065672
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 21 Nov 2010 23:17:37 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (unknown [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 340F98FC1B
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 21 Nov 2010 23:17:37 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id oALNHa9N007707
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 21 Nov 2010 23:17:36 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id oALNHadV007706;
	Sun, 21 Nov 2010 23:17:36 GMT
	(envelope-from nobody)
Message-Id: <201011212317.oALNHadV007706@red.freebsd.org>
Date: Sun, 21 Nov 2010 23:17:36 GMT
From: Andrey Zholos <aaz@althenia.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [jail] devfs is mounted in jails without rules if devfs.rules can't be parsed
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         152465
>Category:       conf
>Synopsis:       [jail] [patch] devfs is mounted in jails without rules if devfs.rules can't be parsed
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    simon
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Nov 21 23:20:09 UTC 2010
>Closed-Date:    
>Last-Modified:  Thu Dec 02 07:35:58 UTC 2010
>Originator:     Andrey Zholos
>Release:        9.0-CURRENT
>Organization:
>Environment:
FreeBSD freebsd 9.0-CURRENT-201011 FreeBSD 9.0-CURRENT-201011 #0: Wed Nov  3 18:19:06 UTC 2010     root@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
If /etc/devfs.rules contains invalid rules and can't be parsed, devfs is
still mounted inside jails, exposing all host devices to a potentially
untrusted environment.

Because parsing of rules stops at the first error, this can happen when
the invalid rule is in a group of rules unrelated to the jail, and even
when a syntactically-correct rule becomes invalid.

For example, the rule

    add path 'ulpt*' mode 0660 group cups

becomes invalid when CUPS is deinstalled (removing the cups group).
This produces a warning, but jails are already started with full access
to devfs before the rule can be removed.

This doesn't affect jails using the standard ruleset (devfsrules_jail in
/etc/defaults/devfs.rules), only those using a custom ruleset in
/etc/devfs.rules which is specified after an invalid rule.

>How-To-Repeat:
Make a simple jail (replace "ad0"):

# mkdir -p /sandbox/{dev,etc,bin,lib,libexec}
# cp /bin/dd /sandbox/bin
# cp /lib/libc.so.* /sandbox/lib
# cp /libexec/ld-elf.so.* /sandbox/libexec
# echo 'root:*:0:0::0:0:Root:/:' > /sandbox/etc/master.passwd
# pwd_mkdb -p -d /sandbox/etc /sandbox/etc/master.passwd

/etc/rc.conf has:
jail_enable="YES"
jail_list="sandbox"
jail_sandbox_hostname="sandbox"
jail_sandbox_rootdir="/sandbox"
jail_sandbox_devfs_enable="YES"
jail_sandbox_devfs_ruleset="sandbox_rules"
jail_sandbox_exec_start="/bin/dd if=/dev/ad0 of=ad0_copy count=1"

/etc/devfs.rules has:
[sandbox_rules=100]
add hide

Normal start, jail can't access host disk:

# /etc/rc.d/jail start
Configuring jails:.
Starting jails: cannot start jail "sandbox": 
dd: /dev/ad0: No such file or directory
>Fix:
>Release-Note:
>Audit-Trail:

From: Andrey Zholos <aaz@althenia.net>
To: bug-followup@freebsd.org,
 aaz@althenia.net
Cc:  
Subject: Re: conf/152465: [jail] devfs is mounted in jails without rules if devfs.rules can't be parsed
Date: Mon, 22 Nov 2010 00:32:53 +0000

 --Boundary-01=_2ob6MTHMShKWTrv
 Content-Type: text/plain;
   charset="us-ascii"
 Content-Transfer-Encoding: 7bit
 
 The report got truncated (at a line that was a single dot).
 
 The rest of How-To-Repeat is:
 
 Prevent devfs.rules from being parsed:
 
 /etc/devfs.rules now has:
 [other_rules=99]
 add path 'ulpt*' group nonexistent
 [sandbox_rules=100]
 add hide
 
 Watch the jail read /dev/ad0 into /sandbox/ad0_copy:
 
 # /etc/rc.d/jail restart
 
 
 Fix:
 
 One possible solution is attached: devfs_mount_jail fails if devfs.rules
 can't be parsed or the ruleset can't be applied, and the jail doesn't
 start if this happens.
 
 This can leave devfs mounted without rules after a jail fails to start,
 so if devfs is already mounted when the jail is being started the next
 time, unmount it and try again rather than using it as is.
 
 This patch will prevent all jails using devfs from starting if
 devfs.rules can't be parsed, even those using the standard ruleset (from
 /etc/defaults/devfs.rules). Another option is to ignore errors in
 devfs_init_ruleset, while still failing on errors in devfs_set_ruleset
 and devfs_apply_ruleset.
 
 
 Patch:
 
 --- etc/rc.subr.orig	2010-11-03 17:39:53.000000000 +0000
 +++ etc/rc.subr	2010-11-21 18:52:42.000000000 +0000
 @@ -1422,14 +1422,19 @@
  		return 1
  	fi
  	debug "$_me: mount-point is ($devdir), ruleset is ($rs)"
 +	if [ -n "$rs" ]; then
 +		if ! devfs_init_rulesets; then
 +			warn "$_me: Unable to load ruleset $rs";
 +			return 1
 +		fi
 +	fi
  	if ! mount -t devfs dev "$devdir"; then
  		warn "$_me: Unable to mount devfs on $devdir"
  		return 1
  	fi
  	if [ -n "$rs" ]; then
 -		devfs_init_rulesets
 -		devfs_set_ruleset $rs $devdir
 -		devfs -m $devdir rule applyset
 +		devfs_set_ruleset $rs $devdir || return 1
 +		devfs_apply_ruleset $rs $devdir || return 1
  	fi
  	return 0
  }
 @@ -1448,7 +1453,6 @@
  	[ -n "$2" ] && rs=$2 || rs="devfsrules_jail"
  	_me="devfs_mount_jail"
  
 -	devfs_init_rulesets
  	if ! devfs_domount "$jdev" $rs; then
  		warn "$_me: devfs was not mounted on $jdev"
  		return 1
 --- etc/rc.d/jail.orig	2010-11-03 17:39:53.000000000 +0000
 +++ etc/rc.d/jail	2010-11-21 18:49:48.000000000 +0000
 @@ -590,22 +590,26 @@
  			jail_mount_fstab
  		fi
  		if checkyesno _devfs; then
 -			# If devfs is already mounted here, skip it.
 -			df -t devfs "${_devdir}" >/dev/null
 -			if [ $? -ne 0 ]; then
 -				if is_symlinked_mountpoint ${_devdir}; then
 -					warn "${_devdir} has symlink as parent - not 
 starting jail ${_jail}"
 -					continue
 -				fi
 -				info "Mounting devfs on ${_devdir}"
 -				devfs_mount_jail "${_devdir}" ${_ruleset}
 -				# Transitional symlink for old binaries
 -				if [ ! -L "${_devdir}/log" ]; then
 -					__pwd="`pwd`"
 -					cd "${_devdir}"
 -					ln -sf ../var/run/log log
 -					cd "$__pwd"
 -				fi
 +			# If devfs is already mounted here, unmount it first.
 +			if df -t devfs "${_devdir}" >/dev/null; then
 +				secure_umount "${_devdir}"
 +			fi
 +			if is_symlinked_mountpoint ${_devdir}; then
 +				warn "${_devdir} has symlink as parent - not starting 
 jail ${_jail}"
 +				continue
 +			fi
 +			info "Mounting devfs on ${_devdir}"
 +			if ! devfs_mount_jail "${_devdir}" ${_ruleset}; then
 +				warn "devfs failed to mount - not starting jail 
 ${_jail}"
 +				continue
 +			fi
 +
 +			# Transitional symlink for old binaries
 +			if [ ! -L "${_devdir}/log" ]; then
 +				__pwd="`pwd`"
 +				cd "${_devdir}"
 +				ln -sf ../var/run/log log
 +				cd "$__pwd"
  			fi
  
  			# XXX - It seems symlinks don't work when there
 
 --Boundary-01=_2ob6MTHMShKWTrv
 Content-Type: text/html;
   charset="us-ascii"
 Content-Transfer-Encoding: 7bit
 
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd">
 <html><head><meta name="qrichtext" content="1" /><style type="text/css">
 p, li { white-space: pre-wrap; }
 </style></head><body style=" font-family:'Bitstream Vera Sans Mono'; font-size:10pt; font-weight:400; font-style:normal;">
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">The report got truncated (at a line that was a single dot).</p>
 <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"></p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">The rest of How-To-Repeat is:</p>
 <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"></p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Prevent devfs.rules from being parsed:</p>
 <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"></p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">/etc/devfs.rules now has:</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">[other_rules=99]</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">add path 'ulpt*' group nonexistent</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">[sandbox_rules=100]</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">add hide</p>
 <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"></p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Watch the jail read /dev/ad0 into /sandbox/ad0_copy:</p>
 <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"></p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"># /etc/rc.d/jail restart</p>
 <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"></p>
 <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"></p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Fix:</p>
 <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"></p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">One possible solution is attached: devfs_mount_jail fails if devfs.rules</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">can't be parsed or the ruleset can't be applied, and the jail doesn't</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">start if this happens.</p>
 <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"></p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">This can leave devfs mounted without rules after a jail fails to start,</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">so if devfs is already mounted when the jail is being started the next</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">time, unmount it and try again rather than using it as is.</p>
 <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"></p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">This patch will prevent all jails using devfs from starting if</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">devfs.rules can't be parsed, even those using the standard ruleset (from</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">/etc/defaults/devfs.rules). Another option is to ignore errors in</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">devfs_init_ruleset, while still failing on errors in devfs_set_ruleset</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">and devfs_apply_ruleset.</p>
 <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"></p>
 <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"></p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Patch:</p>
 <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"></p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">--- etc/rc.subr.orig	2010-11-03 17:39:53.000000000 +0000</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+++ etc/rc.subr	2010-11-21 18:52:42.000000000 +0000</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">@@ -1422,14 +1422,19 @@</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> 		return 1</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> 	fi</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> 	debug &quot;$_me: mount-point is ($devdir), ruleset is ($rs)&quot;</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+	if [ -n &quot;$rs&quot; ]; then</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+		if ! devfs_init_rulesets; then</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+			warn &quot;$_me: Unable to load ruleset $rs&quot;;</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+			return 1</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+		fi</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+	fi</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> 	if ! mount -t devfs dev &quot;$devdir&quot;; then</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> 		warn &quot;$_me: Unable to mount devfs on $devdir&quot;</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> 		return 1</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> 	fi</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> 	if [ -n &quot;$rs&quot; ]; then</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-		devfs_init_rulesets</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-		devfs_set_ruleset $rs $devdir</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-		devfs -m $devdir rule applyset</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+		devfs_set_ruleset $rs $devdir || return 1</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+		devfs_apply_ruleset $rs $devdir || return 1</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> 	fi</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> 	return 0</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> }</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">@@ -1448,7 +1453,6 @@</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> 	[ -n &quot;$2&quot; ] &amp;&amp; rs=$2 || rs=&quot;devfsrules_jail&quot;</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> 	_me=&quot;devfs_mount_jail&quot;</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> </p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-	devfs_init_rulesets</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> 	if ! devfs_domount &quot;$jdev&quot; $rs; then</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> 		warn &quot;$_me: devfs was not mounted on $jdev&quot;</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> 		return 1</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">--- etc/rc.d/jail.orig	2010-11-03 17:39:53.000000000 +0000</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+++ etc/rc.d/jail	2010-11-21 18:49:48.000000000 +0000</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">@@ -590,22 +590,26 @@</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> 			jail_mount_fstab</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> 		fi</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> 		if checkyesno _devfs; then</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-			# If devfs is already mounted here, skip it.</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-			df -t devfs &quot;${_devdir}&quot; &gt;/dev/null</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-			if [ $? -ne 0 ]; then</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-				if is_symlinked_mountpoint ${_devdir}; then</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-					warn &quot;${_devdir} has symlink as parent - not starting jail ${_jail}&quot;</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-					continue</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-				fi</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-				info &quot;Mounting devfs on ${_devdir}&quot;</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-				devfs_mount_jail &quot;${_devdir}&quot; ${_ruleset}</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-				# Transitional symlink for old binaries</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-				if [ ! -L &quot;${_devdir}/log&quot; ]; then</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-					__pwd=&quot;`pwd`&quot;</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-					cd &quot;${_devdir}&quot;</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-					ln -sf ../var/run/log log</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-					cd &quot;$__pwd&quot;</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-				fi</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+			# If devfs is already mounted here, unmount it first.</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+			if df -t devfs &quot;${_devdir}&quot; &gt;/dev/null; then</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+				secure_umount &quot;${_devdir}&quot;</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+			fi</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+			if is_symlinked_mountpoint ${_devdir}; then</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+				warn &quot;${_devdir} has symlink as parent - not starting jail ${_jail}&quot;</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+				continue</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+			fi</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+			info &quot;Mounting devfs on ${_devdir}&quot;</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+			if ! devfs_mount_jail &quot;${_devdir}&quot; ${_ruleset}; then</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+				warn &quot;devfs failed to mount - not starting jail ${_jail}&quot;</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+				continue</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+			fi</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+			# Transitional symlink for old binaries</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+			if [ ! -L &quot;${_devdir}/log&quot; ]; then</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+				__pwd=&quot;`pwd`&quot;</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+				cd &quot;${_devdir}&quot;</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+				ln -sf ../var/run/log log</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">+				cd &quot;$__pwd&quot;</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> 			fi</p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> </p>
 <p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"> 			# XXX - It seems symlinks don't work when there</p>
 <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"></p></body></html>
 --Boundary-01=_2ob6MTHMShKWTrv--
Responsible-Changed-From-To: freebsd-bugs->freebsd-jail 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Nov 22 18:03:36 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=152465 
Responsible-Changed-From-To: freebsd-jail->simon 
Responsible-Changed-By: simon 
Responsible-Changed-When: Thu Dec 2 07:35:04 UTC 2010 
Responsible-Changed-Why:  
Grab PR to make sure it get dealt with - other committers should feel 
free to grab the PR if they like and can handle it soon. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=152465 
>Unformatted:
