| rule add[rulenumrulespec] || Add the rule described by rulespec (defined below) to the ruleset. The rule has the number rulenum if it is explicitly specified; otherwise, the rule number is automatically determined by the kernel. |
| rule apply rulenum | rulespec || Apply rule number rulenum or the rule described by rulespec to the mount-point. Rules that are "applied" have their conditions checked against all nodes in the mount-point and the actions taken if they match. |
| rule applyset || Apply all the rules in the ruleset to the mount-point (see above for the definition of "apply"). |
| rule del rulenum || Delete rule number rulenum from the ruleset. |
| rule delset || Delete all rules from the ruleset. |
| rule show [rulenum] || Display the rule number rulenum, or all the rules in the ruleset. The output lines (one line per rule) are expected to be valid rulespec s. |
| rule showsets || Report the numbers of existing rulesets. |
| ruleset ruleset || Set ruleset number ruleset as the current ruleset for the mount-point. |
The following actions are recognized. Although there is no explicit delimiter between conditions and actions, they may not be intermixed.
When the system boots, the only ruleset that exists is ruleset number 0; since the latter may not be modified, we have to create another ruleset before adding rules. Note that since most of the following examples do not specify -m , the operations are performed on /dev (this only matters for things that might change the properties of nodes).
"devfs ruleset 10"
Specify that ruleset 10 should be the current ruleset for /dev (if it does not already exist, it is created).
"devfs rule add path speaker mode 666"
Add a rule that causes all nodes that have a path that matches "speaker" (this is only /dev/speaker) to have the file mode 666 (read and write for all). Note that if any such nodes already exist, their mode will not be changed unless this rule (or ruleset) is explicitly applied (see below). The mode will be changed if the node is created after the rule is added (e.g., the atspeaker module is loaded after the above rule is added).
"devfs rule applyset"
Apply all the rules in the current ruleset to all the existing nodes. E.g., if the above rule was added after /dev/speaker was created, this command will cause its file mode to be changed to 666 as prescribed by the rule.
devfs rule add path "snp*" mode 660 group snoopers
(Quoting the argument to path is often necessary to disable the shells globbing features.) For all devices with a path that matches "snp*", set the file mode to 660 and the GID to "snoopers". This permits users in the "snoopers" group to use the snp(4) devices.
"devfs rule -s 20 add major 53 group games"
Add a rule to ruleset number 20. Since this ruleset is not the current ruleset for any mount-points, this rule is never applied automatically (unless ruleset 20 becomes a current ruleset for some mount-point at a later time). However, it can be applied explicitly, as such:
"devfs -m /my/jail/dev rule -s 20 applyset"
This will apply all rules in ruleset number 20 to the DEVFS mount on /my/jail/dev. It does not matter that ruleset 20 is not the current ruleset for that mount-point; the rules are still applied.
"devfs rule apply hide"
Since this rule has no conditions, the action (hide) will be applied to all nodes. Since hiding all nodes is not very useful, we can undo it:
"devfs rule apply unhide"
which applies unhide to all the nodes, causing them to reappear.
"devfs rule -s 10 add - < my_rules"
Add all the rules from the file my_rules to ruleset 10.
"devfs rule -s 20 show | devfs rule -s 10 add -"
Since show outputs valid rules, this feature can be used to copy rulesets. The above copies all the rules from ruleset 20 into ruleset 10. The rule numbers are preserved, but ruleset 10 may already have rules with non-conflicting numbers (these will be preserved).
chmod(1), jail(2), glob(3), devfs(5), chown(8), jail(8), mknod(8)