# jail with mount.devfs inside a jail



## zirias@ (Sep 9, 2016)

Hi all,

I'm trying to create a jail with mounted devfs inside another jail and get the following error:

```
builder# jail -c host=inherit path=/usr/local/poudriere/jails/sysbuilder mount.devfs command=/bin/sh
mount: .: Operation not permitted
jail: /sbin/mount -t devfs -oruleset=4 . /usr/local/poudriere/jails/sysbuilder/dev: failed
```
But the following works:

```
builder# /sbin/mount -t devfs . /usr/local/poudriere/jails/sysbuilder/dev
```
Of course I don't want to have a full devfs in my jail. Why does it fail when the ruleset option is given?

Configuration of the "outer" jail is as follows:

```
exec.start    = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;
mount.fstab = "/var/jail/${name}.fstab";
host.hostname = "${name}.home.palmen-it.de";
allow.noset_hostname;

path = "/var/jail/${name}/jail";

builder {
     ip4.addr =    192.168.99.41, 127.0.0.1;
     interface = tap0;
     ip6 = inherit;
     children.max = 20;
     allow.mount;
     allow.mount.devfs;
     allow.mount.procfs;
     allow.mount.linprocfs;
     allow.mount.zfs;
     allow.mount.nullfs;
     allow.mount.tmpfs;
     allow.raw_sockets;
     allow.socket_af;
     allow.sysvipc;
     allow.chflags;
     enforce_statfs=1;
     exec.poststart="zfs jail builder zroot/poudriere && jexec builder zfs mount -a";
     exec.prestop="jexec builder zfs umount -a && zfs unjail builder zroot/poudriere";
}
```
Thanks,
Felix


----------



## max21 (Sep 9, 2016)

Could something like this fit in somewhere?

```
devfs -m /usr/local/jail-1/dev rule -s 4 applyset
devfs -m /usr/local/jail-1/dev rule apply path tun0 unhide
```
You can hide or unhide anything you want.


----------



## zirias@ (Sep 9, 2016)

Thanks for the idea, I didn't try to apply the ruleset after mounting. Unfortunately, this doesn't work either:

```
builder# devfs -m /usr/local/poudriere/jails/sysbuilder/dev rule -s 4 applyset
devfs rule: ioctl DEVFSIO_SAPPLY: Operation not permitted
```
Is this by design? Maybe I just overlooked some allow.* setting necessary for the "parent" jail?

_[edit]_ -- even if this won't work at all, I'd be thankful for an explanation. So -- anyone giving me EITHER an idea I didn't have myself yet OR an explanation of these error-messages will get a very sincere, conscious, thoughtful and meaningful click on this great "thanks" button


----------



## dvl@ (Aug 7, 2021)

Here I am, 5 years later, same situation, same problem:


```
[root@jail-testing:/] $ service jail start
Starting jails:mount: .: Operation not permitted
jail: freshports: /sbin/mount -t devfs -oruleset=4 . /jails/freshports/dev: failed
.
[root@jail-testing:/] $
```


----------



## Alain De Vos (Aug 7, 2021)

It seems to work for me.
Here my jail.conf

```
path = "/jails/$name";
host.hostname = "$name";
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
ip4 = inherit;
ip6 = inherit;
mount.devfs;
mount.fdescfs;
allow.mount;
allow.mount.devfs;
allow.mount.fdescfs;
allow.mount.nullfs;
allow.mount.tmpfs;
allow.mount.procfs;
allow.mount.zfs;
enforce_statfs=1;
children.max=100;
allow.socket_af;
allow.raw_sockets;
allow.chflags;
allow.sysvipc;
a {
devfs_ruleset="20";
}
```
And my devfs.rules


```
[a=20]
add include $devfsrules_hide_all  
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path 'mixer*' unhide
add path 'dsp*' unhide
add path 'zfs*' unhide
```


----------



## dvl@ (Aug 7, 2021)

Thank you.  Tried that, same issue.


```
Starting jails:mount: .: Operation not permitted
jail: freshports: /sbin/mount -t devfs -oruleset=20 . /jails/freshports/dev: failed
.
```


----------



## dvl@ (Aug 7, 2021)

Which makes me wonder, since jail-testing is a jail, which is launching the above jail, is there something missing from the jail.conf on the host which launches jail-testing.


----------



## dvl@ (Aug 7, 2021)

My missing magic was


```
devfs_ruleset=0
```

My working /etc/jail.conf is:


```
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;
path = /jails/$name;
allow.raw_sockets;
securelevel = 2;
exec.consolelog="/var/tmp/jail-$name";

host.hostname = "$name.int.unixathome.org";

persist;
test01 {
    host.hostname = "test01";

    ip4 = inherit;
    persist;

    devfs_ruleset=0;

    allow.mount=true;
    enforce_statfs=1;
    allow.mount.devfs;
    allow.mount.procfs;
}
```


----------

