# Accessing device from inside jail / cryptsetup on FreeBSD



## hrw (Dec 4, 2016)

Hello,

I'm trying to access a device at "low level" from inside a Debian jail. I created the jail using this howto, without any problems: https://forums.freebsd.org/threads/41470/

What I'm really going to do is to use cryptsetup inside the jail:

`debian:~# ls -lahtr container_file
-rw-r--r-- 1 root root 250M Dec  4 14:25 container_file
debian:~# cryptsetup luksFormat container_file

WARNING!
========
This will overwrite data on container_file irrevocably.

Are you sure? (Type uppercase yes): YES
mlockall failed: Operation not permitted
WARNING!!! Possibly insecure memory. Are you root?
Enter LUKS passphrase:
Verify passphrase:
Command failed: Unable to obtain sector size for container_file`

Looking at the source code shows that the problem occours, because I'm not allowed to open the device (read only):


```
int sector_size_for_device(const char *device)
{
        int fd = open(device, O_RDONLY);
        int r;
        if(fd < 0)
                return -EINVAL;
        r = sector_size(fd);
        close(fd);
        return r;
}
```

Other Problems relating to the same permission problems:
`debian:~# cryptsetup luksFormat /dev/ada0s4   

WARNING!
========
This will overwrite data on /dev/ada0s4 irrevocably.

Are you sure? (Type uppercase yes): YES
mlockall failed: Operation not permitted
WARNING!!! Possibly insecure memory. Are you root?
Command failed: Can not access device`

`debian:~# mkfs.ext4 /dev/ada0s4
mke2fs 1.41.3 (12-Oct-2008)
/dev/ada0s4 is not a block special device.
Proceed anyway? (y,n) y
/dev/ada0s4: Operation not permitted while setting up superblock`

So there seems no way to access the devices, even not for read.

This is my jail config:

```
root@workstation:~ # cat /jailz/etc/jail.conf
debian {
 path = /jailz/debian;
 allow.mount;
 allow.mount.devfs;
 mount.devfs;
 devfs_ruleset = 0;
 enforce_statfs = 0;
 host.hostname = debian;
 mount.fstab="/jailz/etc/fstab.debian";
 ip4.addr = 127.0.0.10;
 interface = lo0;
 exec.start = "/etc/init.d/rc 3";
 exec.stop = "/etc/init.d/rc 0";
}
```

Any ideas what other permissions I could set?
Or is this even possible from inside a jail?


----------



## hrw (Dec 4, 2016)

If I update permissions in /etc/devfs.conf:

```
own    ada0* root:operator
perm   ada0* 0666
```

and in /etc/devfs.rules:

```
[devfsrules_jail=5]
add path 'ada0*' unhide
add path 'ada0*' mode 0777
```

I got those new permissions on the devices but still I'm not allowed to access them?


```
root@workstation:~ # ls -lahtr /dev/ada0*
crw-rw-rw-  1 root  operator   0x9b  4 Dez. 12:57 /dev/ada0s4.eli
crw-rw-rw-  1 root  operator   0x94  4 Dez. 12:57 /dev/ada0s4
crw-rw-rw-  1 root  operator   0x9e  4 Dez. 12:57 /dev/ada0s3d.eli
crw-rw-rw-  1 root  operator   0x9a  4 Dez. 12:57 /dev/ada0s3d
crw-rw-rw-  1 root  operator   0x99  4 Dez. 12:57 /dev/ada0s3b
crw-rw-rw-  1 root  operator   0x98  4 Dez. 12:57 /dev/ada0s3a
crw-rw-rw-  1 root  operator   0x8b  4 Dez. 12:57 /dev/ada0s3
crw-rw-rw-  1 root  operator   0x8a  4 Dez. 12:57 /dev/ada0s2
crw-rw-rw-  1 root  operator   0x89  4 Dez. 12:57 /dev/ada0s1
crw-rw-rw-  1 root  operator   0x88  4 Dez. 12:57 /dev/ada0
crw-rw-rw-  1 root  operator   0x86  4 Dez. 12:57 /dev/ada0s3b.eli
```


```
debian:/# ls -lahtr /dev/ada0*
crwxrwxrwx 1 root tty 0, 155 Dec  4 12:57 /dev/ada0s4.eli
crwxrwxrwx 1 root tty 0, 148 Dec  4 12:57 /dev/ada0s4
crwxrwxrwx 1 root tty 0, 158 Dec  4 12:57 /dev/ada0s3d.eli
crwxrwxrwx 1 root tty 0, 154 Dec  4 12:57 /dev/ada0s3d
crwxrwxrwx 1 root tty 0, 153 Dec  4 12:57 /dev/ada0s3b
crwxrwxrwx 1 root tty 0, 152 Dec  4 12:57 /dev/ada0s3a
crwxrwxrwx 1 root tty 0, 139 Dec  4 12:57 /dev/ada0s3
crwxrwxrwx 1 root tty 0, 138 Dec  4 12:57 /dev/ada0s2
crwxrwxrwx 1 root tty 0, 137 Dec  4 12:57 /dev/ada0s1
crwxrwxrwx 1 root tty 0, 136 Dec  4 12:57 /dev/ada0
crwxrwxrwx 1 root tty 0, 134 Dec  4 12:57 /dev/ada0s3b.eli
```


----------

