# Jails & mounts



## jlgerfen (Oct 17, 2012)

I am attempting to mount an ISO with specific options inside a jail.

I first created a new black iso

```
dd if=/dev/zero of=file.iso bs=1024 count=102040
```

Then put on ext2fs on it

```
mke2fs file.iso
```

Ensure rc.conf & sysctl.conf allow for mounts

```
jail_name_mount_enable="YES"
```


```
security.jail.mount_allowed=1
```

Created a simple startup script to handle mdconfig on the ISO

```
#!/bin/sh

# PROVIDE: jail_mount
# BEFORE: DAEMON

. /etc/rc.subr

name=jail_mount
rcvar=jail_mount_enable

start_cmd="${name}_start"
stop_cmd="${name}_stop"

load_rc_config $name

eval "${rcvar}=\${${rcvar}:-'NO'}"

jail_mount_start()
{
        /sbin/mdconfig -a -t vnode -f /jail/file.iso -u 0
}

jail_mount_stop()
{
        /sbin/mdconfig -d -u 0
        /bin/unlink /dev/md0
}
run_rc_command "$1"
```

And accounted for it within the jail's fstab.name

```
# Device        Mountpoint              FStype  Options Dump                    Pass#
/dev/md0        /jail/tmp   ext2fs  rw,nosuid,noexec,nosymfollow    0       0
```

I must be missing something... outside of the jail:

```
/dev/md0 on /jail/tmp (ext2fs, local, noexec, nosuid, nosymfollow)
```

And inside the jail:

```
# jexec 1 mount
/dev/ada0p2 on / (ufs, local, journaled soft-updates)
```

What am I missing?


----------



## SirDice (Oct 18, 2012)

```
dice@molly:~> sysctl security.jail.enforce_statfs
security.jail.enforce_statfs: 2
```

From jail(8):

```
enforce_statfs
             This determines which information processes in a jail are able to
             get about mount points.  It affects the behaviour of the follow-
             ing syscalls: statfs(2), fstatfs(2), getfsstat(2) and fhstatfs(2)
             (as well as similar compatibility syscalls).  When set to 0, all
             mount points are available without any restrictions.  When set to
             1, only mount points below the jail's chroot directory are visi-
             ble.  In addition to that, the path to the jail's chroot direc-
             tory is removed from the front of their pathnames.  When set to 2
             (default), above syscalls can operate only on a mount-point where
             the jail's chroot directory is located.
```


----------



## jlgerfen (Oct 18, 2012)

*doh*

Well that worked and I can now see the options I am attempting to use on the mount within the jail.


```
# jexec 1 mount
/dev/ada0p2 on / (ufs, local, journaled soft-updates)
/dev/md0 on /tmp (ext2fs, local, noexec, nosuid, nosymfollow)
devfs on /dev (devfs, local, multilabel)
```

Perhaps I am missing something but when created symlinks within the /tmp partition the jail still follows them.


----------

