Summary: | /etc/defaults/devfs.rules rule recursion | ||
---|---|---|---|
Product: | Base System | Reporter: | Gijs Peskens <gijs> |
Component: | conf | Assignee: | Kristof Provost <kp> |
Status: | In Progress --- | ||
Severity: | Affects Many People | CC: | dmitry.wagin, kp, michael.osipov, michaelo, zlei |
Priority: | --- | ||
Version: | 13.0-RELEASE | ||
Hardware: | Any | ||
OS: | Any |
Description
Gijs Peskens
2021-05-06 15:13:38 UTC
Steps to repeated: 1. mkdir -p /tmp/dev 2. mount -t devfs devfs /tmp/dev 3. devfs -m /tmp/dev rule -s 5 applyset 4. ls /tmp/dev Code review: https://reviews.freebsd.org/D32814 A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=7acd322ebe2072b1d73b1d19c14ab12a300ba8e8 commit 7acd322ebe2072b1d73b1d19c14ab12a300ba8e8 Author: Zhenlei Huang <zlei.huang@gmail.com> AuthorDate: 2021-11-03 11:46:48 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-11-03 11:50:13 +0000 devfs.rules: Correctly unhide pf in vnet jails Revision 9e9be081d8 introduced a new devfs rule devfsrules_jail_vnet. It includes rule devfsrules_jail which include other rules. Unfortunately devfs could not recursively parse the action include and thus devfsrules_jail_vnet will expose all nodes. PR: 255660 Reviewed by: kp Obtained from: Gijs Peskens <gijs@peskens.net> MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D32814 sbin/devfs/devfs.rules | 3 +++ 1 file changed, 3 insertions(+) A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=eaab06d53dfa7fbf926a2c19aa00a6804b5e6349 commit eaab06d53dfa7fbf926a2c19aa00a6804b5e6349 Author: Zhenlei Huang <zlei.huang@gmail.com> AuthorDate: 2021-11-03 11:46:48 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-11-24 16:45:51 +0000 devfs.rules: Correctly unhide pf in vnet jails Revision 9e9be081d8 introduced a new devfs rule devfsrules_jail_vnet. It includes rule devfsrules_jail which include other rules. Unfortunately devfs could not recursively parse the action include and thus devfsrules_jail_vnet will expose all nodes. PR: 255660 Reviewed by: kp Obtained from: Gijs Peskens <gijs@peskens.net> MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D32814 (cherry picked from commit 7acd322ebe2072b1d73b1d19c14ab12a300ba8e8) sbin/devfs/devfs.rules | 3 +++ 1 file changed, 3 insertions(+) (In reply to Gijs Peskens from comment #0) Use sysctl vfs.devfs.rule_depth=2 (In reply to Dmitry Wagin from comment #5) maybee need change default 1 -> 2 (In reply to Dmitry Wagin from comment #5) Emmm, DEVFS(8) says: > include ruleset Apply all the rules in ruleset number ruleset to the > node. This does not necessarily result in any changes > to the node (e.g., if none of the rules in the included > ruleset match). Include commands in the referenced > ruleset are not resolved. sadly the sysctl variable `vfs.devfs.rule_depth` is not well documented :( (In reply to Dmitry Wagin from comment #6) > maybee need change default 1 -> 2 This need justification. If the default is changed from 1 to 2, then it should be documented explicitly and we should give a good reason why it is not change from 1 to 3. There're cases user customize local devfs.rules and reference existing default ruleset. The default 2 would confuse end users. Maybe it is better we step further to default allow recursive `include`, and the kernel checks and prevents DAG cycles, ruleset A -> B -> A, i.e. (In reply to Zhenlei Huang from comment #8) > kernel checks and prevents DAG cycles, ruleset A -> B -> A, i.e. Sorry the "prevents DAG cycles" is misleading. I meant "prevents DG cycles". |