NAME

appjail-devfs — Dynamic DEVFS ruleset management

SYNOPSIS

appjail devfs append jail file

appjail devfs apply [-r [auto|ruleset]] jail [rulenum|rulespec ...]

appjail devfs applyset [-r [auto|ruleset]] jail

appjail devfs del jail rulenum

appjail devfs delset [-q] jail

appjail devfs get [-eHIipt] -n nro jail [keyword ...]

appjail devfs list [-eHIipt] [-n nro] jail [keyword ...]

appjail devfs load [-r [auto|ruleset]] jail

appjail devfs remove [all|nro nro] jail

appjail devfs ruleset assign [-R] [-r [auto|ruleset]] jail

appjail devfs ruleset get jail

appjail devfs ruleset remove jail

appjail devfs set [-E|-e] [-N name] [-n [auto|nro]] jail rulespec

appjail devfs show [-n name] [-r [auto|ruleset]] jail

appjail devfs showsets

appjail devfs status jail

DESCRIPTION

The appjail devfs utility dynamically manages devices inside jails using the DEVFS subsystem. This changes the way you managed devices, i.e. you are not required to modify the devfs.rules(5) file or reload the devfs rc(8) script before using the ruleset, as this command performs the work for you.

However, AppJail supports both approaches. The “classic way” is the one you know best: modify your devfs.rules(5) file to place any devices you need in your jails, reload the rules by restarting the devfs rc(8) script, and set devfs_ruleset to the ruleset number you had specified. The “modern way” involves this subcommand, which is usually achieved in combination with the appjail-quick(1)'s device option.

How a ruleset number is assigned depends on the algorithm set by the DEVFS_ASSIGN_ALGO parameter.

The options are as follows:

append jail file

Read a file line by line to add new rules. This subcommand calls the set subcommand to add a rule for each line.

apply [-r [auto|ruleset]] jail [rulenum|rulespec ...]

Apply rule number rulenum or the rule described by rulespec to the jail's /dev directory. Rules that are “applied” have their conditions checked against all nodes in the mount-point and the actions taken if they match.

Before applying a rule, this subcommand sets ruleset to the ruleset specified by -r as the current for the jail's /dev directory.

See ruleset assign for how the ruleset number is assigned.

applyset [-r [auto|ruleset]] jail

Apply all the rules in the ruleset to the jail's /dev directory.

This subcommand first loads all enabled rules set by the set subcommand and then applies them to the jail's /dev directory with the specified ruleset.

See ruleset assign for how the ruleset number is assigned.

del jail rulenum

Delete rule number rulenum from the ruleset.

The ruleset must be loaded before using this subcommand. After deleting the rule number, the ruleset is applied to the jail's /dev directory for the changes to take effect.

delset [-q] jail

Delete all rules from the ruleset.

The ruleset must be loaded before using this subcommand unless -q is specified, which means that 0 is returned even if the ruleset is not loaded.

get [-eHIipt] -n nro jail [keyword ...]

Get information about current rules, that is, the keyword that represent the information to be obtained. Multiple keywords can be specified, which are displayed as a table-like interface in the order in which they are specified. If no keyword is specified, the defaults are nro, enabled, name, rule and loaded.

See KEYWORDS for a list of available keywords.

-e: Not required when using -p. The \t character is used to delimit columns, so as not to show strange values, this option shows <TAB> instead of \t in the case that a value contains the latter.
-H: Shows the name of the columns.
-I: Include empty values. By default, a minus sign is displayed when a value is empty.
-i: Don't complain when nro doesn't exist.
-p: Columnate the list.
-t: Tabulate columns and values.
-n nro: Identifier.

list [-eHIipt] [-n nro] jail [keyword ...]

Similar to get but shows each keyword for each rule in a nice table.

-e, -H, -I, -p, -t: All of these options perform the opposite task of the options described in get.
-i: Perform the same task as described in get.
-n nro: Only show information for nro.

load [-r [auto|ruleset]] jail

Load and apply all enabled rules set by the set subcommand.

See ruleset assign for how the ruleset number is assigned.

remove [all|nro nro] jail

Remove a given rule.

all: Remove all rules.
nro nro: Remove the rule specified by nro.

ruleset assign [-R] [-r [auto|ruleset]] jail

Assign a ruleset number for jail using the algorithm specified by the DEVFS_ASSIGN_ALGO parameter if -r is set to auto, but if it is a non-negative (and non-zero) number, it is set as the current ruleset number. Note that setting the ruleset number to an existing one may overwrite any rules it has.

If the ruleset number is already assigned, this subcommand will not reassign another one unless -R is specified.

Once this subcommand completes, the assigned ruleset number is displayed.

ruleset get jail

Shows the current ruleset number assigned.

set [-E|-e] [-N name] [-n [auto|nro]] jail rulespec

Configure a new or existing rule.

[-E|-e]: Enable (-E) or disable (-e) this rule.
-N name: Brief description about this rule.
-n [auto|nro]: Identifier. An identifier is composed of a positive number. Use auto (default) to get the lowest identifier value.

show [-n name] [-r [auto|ruleset]] jail

Display the rules as a valid devfs.rules(5) file. The first line between brackets denotes the start of a ruleset. In the brackets should be the name of a ruleset specified by -n or devfsrules_XXXXXXXXXXX (where the Xs are a random string) if no name is specified and its number specified by -r, separated by an equal sign.

See ruleset assign for how the ruleset number is assigned.

showsets