Comment 1 Gavin Atkinson 2014-07-05 18:46:28 UTC

Hi,

It's not clear why you feel this needs merging.  The issue which led to the security advisory only affected 10.x, and not 9.x.  If no ruleset is explicitly selected in rc.conf, the default ruleset will be automatically used, just as happens in 10.x after the security fix is applied.

If there is another reason you feel this should be applied, please let me know.

Thanks,

Gavin

This is not a question of which RELEASE your running but what jail method your using. jail(8) became available in 9.1 and it was full of bugs. One which was the bug that caused the default ruleset number 4 not to work in 9.1, 9.2, and 10.0.
This was never fixed until pr 187079 noticed the effect of changing the /etc/defaults/rc.conf parameter devfs_load_rulesets= from it's default "NO" to "YES" had on enabling the default ruleset number 4 on jail(8) jails in RELEASE 10.0. Since 10.0 RELEASE was already published the only way to fix this was through a security advisory.  10.0 is the first RELEASE where the rc.d/jail script method is depreciated and the jail(8) method is the primary method. In 10.0 all rc.d/jail rc.conf defined jails are converted to jail(8) method on the fly when the jail is started. 

9.1, 9.2, and 9.3 uses the rc.d/jail as the primary jail method and the jail(8) method is also provided, but the default to use ruleset number 4 does not work for jail(8) jails in these RELEASES because the devfs_load_rulesets= parameter is set to NO instead of YES. Setting it to YES fixes jail(8) and has no negative effect to the rc.d/jail method that I can see from the testing I have done.  

So yes I feel that all indications show that devfs_load_rulesets="YES" should be the default in /etc/defaults/rc.conf for the 9.3 RELEASE. Since jail(8) is the direction FreeBSD is headed, every effort should be made to get it to function as intended. 

At the least, some kind of instructions should be added to the 9.3 release notes covering this subject if correcting the problem is bypassed.