Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
APPJAIL-DEVFS(1)	    General Commands Manual	      APPJAIL-DEVFS(1)

NAME
       appjail-devfs --	Dynamic	DEVFS ruleset management

SYNOPSIS
       appjail devfs append jail
       appjail devfs apply [-r [auto|ruleset]] jail [rulenum|rulespec ...]
       appjail devfs applyset [-r [auto|ruleset]] jail
       appjail devfs del jail rulenum
       appjail devfs delset [-q] jail
       appjail devfs get [-eHIipt] -n nro jail [keyword	...]
       appjail devfs list [-eHIipt] [-n	nro] jail [keyword ...]
       appjail devfs load [-r [auto|ruleset]] jail
       appjail devfs remove [all|nro nro] jail
       appjail devfs ruleset assign [-R] [-r [auto|ruleset]] jail
       appjail devfs ruleset get jail
       appjail devfs ruleset remove jail
       appjail devfs set [-E|-e] [-N name] [-n [auto|nro]] jail	rulespec
       appjail devfs show [-n name] [-r	[auto|ruleset]]	jail
       appjail devfs showsets
       appjail devfs status jail

DESCRIPTION
       The  appjail devfs utility dynamically manages devices inside jails us-
       ing the DEVFS subsystem.	This changes the way you managed devices, i.e.
       you are not required to modify the devfs.rules(5) file  or  reload  the
       devfs  rc(8)  script before using the ruleset, as this command performs
       the work	for you.

       However,	AppJail	supports both approaches. The "classic way" is the one
       you know	best: modify your devfs.rules(5) file to place any devices you
       need in your jails, reload the rules  by	 restarting  the  devfs	 rc(8)
       script,	and set	devfs_ruleset to the ruleset number you	had specified.
       The "modern way"	involves this subcommand, which	is usually achieved in
       combination with	the appjail-quick(1)'s device option.

       How a ruleset number is assigned	depends	on the algorithm  set  by  the
       DEVFS_ASSIGN_ALGO parameter.

       The options are as follows:

       append jail
	    Read  a  file line by line to add new rules. This subcommand calls
	    the	set subcommand to add a	rule for each line.

       apply [-r [auto|ruleset]] jail [rulenum|rulespec	...]
	    Apply rule number rulenum or the rule described by rulespec	to the
	    jail's /dev	directory. Rules that are "applied" have their	condi-
	    tions checked against all nodes in the mount-point and the actions
	    taken if they match.

	    Before  applying a rule, this subcommand sets ruleset to the rule-
	    set	specified by -r	as the current for the jail's /dev directory.

	    See	ruleset	assign for how the ruleset number is assigned.

       applyset	[-r [auto|ruleset]] jail
	    Apply all the rules	in the ruleset to the jail's /dev directory.

	    This subcommand first loads	all enabled rules set by the set  sub-
	    command  and  then	applies	them to	the jail's /dev	directory with
	    the	specified ruleset.

	    See	ruleset	assign for how the ruleset number is assigned.

       del jail	rulenum
	    Delete rule	number rulenum from the	ruleset.

	    The	ruleset	must be	loaded before  using  this  subcommand.	 After
	    deleting  the  rule	 number,  the ruleset is applied to the	jail's
	    /dev directory for the changes to take effect.

       delset [-q] jail
	    Delete all rules from the ruleset.

	    The	ruleset	must be	loaded before using this subcommand unless  -q
	    is	specified,  which means	that 0 is returned even	if the ruleset
	    is not loaded.

       get [-eHIipt] -n	nro jail [keyword ...]
	    Get	information about current rules	, that is,  the	 keyword  that
	    represent the information to be obtained. Multiple keywords	can be
	    specified,	which  are  displayed as a table-like interface	in the
	    order in which they	are specified.	If no  keyword	is  specified,
	    the	defaults are nro, enabled, name, rule and loaded.

	    See	"KEYWORDS" for a list of available keywords.

	    -e	Not  required when using -p .  The \t character	is used	to de-
		limit columns, so as not to show strange values,  this	option
		shows  <TAB>  instead  of \t in	the case that a	value contains
		the latter.

	    -H	Shows the name of the columns.

	    -I	Include	empty values. By default, a minus  sign	 is  displayed
		when a value is	empty.

	    -i	Don't complain when nro	doesn't	exist.

	    -p	Columnate the list.

	    -t	Tabulate columns and values.

	    -n nro
		Identifier.

       list [-eHIipt] [-n nro] jail [keyword ...]
	    Similar  to	 get  but  shows  each keyword for each	rule in	a nice
	    table.

	    -e,	-H, -I,	-p, -t
		All of these options perform the opposite task of the  options
		described in get.

	    -i	Perform	the same task as described in get .

	    -n nro
		Only show information for nro.

       load [-r	[auto|ruleset]]	jail
	    Load and apply all enabled rules set by the	set subcommand.

	    See	ruleset	assign for how the ruleset number is assigned.

       remove [all|nro nro] jail
	    Remove a given rule.

	    all
		Remove all rules.

	    nro	nro
		Remove the rule	specified by nro .

       ruleset assign [-R] [-r [auto|ruleset]] jail
	    Assign  a ruleset number for jail using the	algorithm specified by
	    the	DEVFS_ASSIGN_ALGO parameter if -r is set to auto, but if it is
	    a non-negative (and	non-zero) number, it is	 set  as  the  current
	    ruleset  number. Note that setting the ruleset number to an	exist-
	    ing	one may	overwrite any rules it has.

	    If the ruleset number is already assigned,	this  subcommand  will
	    not	reassign another one unless -R is specified.

	    Once  this	subcommand  completes,	the assigned ruleset number is
	    displayed.

       ruleset get jail
	    Shows the current ruleset number assigned.

       set [-E|-e] [-N name] [-n [auto|nro]] jail rulespec
	    Configure a	new or existing	rule.

	    [-E|-e]
		Enable (-E) or disable (-e) this rule.

	    -N name
		Brief description about	this rule.

	    -n [auto|nro]
		Identifier. An identifier is composed of  a  positive  number.
		Use auto (default) to get the lowest identifier	value.

       show [-n	name] [-r [auto|ruleset]] jail
	    Display  the  rules	as a valid devfs.rules(5) file.	The first line
	    between brackets denotes the start of a ruleset. In	 the  brackets
	    should   be	  the	name   of   a	ruleset	 specified  by	-n  or
	    devfsrules_XXXXXXXXXXX (where the Xs are a random  string)	if  no
	    name  is specified and its number specified	by -r, separated by an
	    equal sign.

	    See	ruleset	assign for how the ruleset number is assigned.

       showsets
	    Report the numbers of existing rulesets.

	    Unlike devfs(8)'s showsets,	it  includes  jail's  ruleset  numbers
	    even if they are not currently applied.

       status jail
	    Display all	the rules in the ruleset.

KEYWORDS
       nro
	   Identifier.

       enabled
	   Shows 1 if the rule is enabled, 0 if	it is not.

       name
	   Brief description about this	rule.

       rule
	   The rule that will be applied.

EXIT STATUS
       The  appjail  devfs  utility exits 0 on success,	and >0 if an error oc-
       curs.

SEE ALSO
       sysexits(3) devfs(5) devfs.rules(5) devfs(8)

AUTHORS
       Jess Daniel Colmenares Oviedo <DtxdF@disroot.org>

FreeBSD	Ports 14.quarterly	April 17, 2024		      APPJAIL-DEVFS(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=appjail-devfs&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>

home | help