support USB in jails

gronke · gronke · commit 700183feacf4 · 2019-02-23T18:40:20.000+01:00
diff --git a/libioc/Config/Jail/BaseConfig.py b/libioc/Config/Jail/BaseConfig.py
@@ -536,6 +536,19 @@ def _get_host_domainname(self) -> str:
         except KeyError:
             return "local"
 
+    def _get_usb_device(self) -> typing.List[str]:
+        devices = self.data["usb_device"].split()  # type: typing.List[str]
+        return devices
+
+    def _set_usb_device(
+        self,
+        value: typing.Union[typing.List[str], str]
+    ) -> None:
+        if isinstance(value, list):
+            self.data["usb_device"] = " ".join(value)
+        else:
+            self.data["usb_device"] = value
+
     def get_string(self, key: str) -> str:
         """Get the stringified value of a configuration property."""
         return self.stringify(self.__getitem__(key))
diff --git a/libioc/Config/Jail/Globals.py b/libioc/Config/Jail/Globals.py
@@ -68,6 +68,8 @@
     "allow_mount_fdescfs": 0,
     "allow_mount_zfs": 0,
     "allow_mount_tmpfs": 0,
+    "allow_usb": 0,
+    "usb_device": ["ugen*"],
     "allow_quotas": 0,
     "allow_socket_af": 0,
     "allow_vmm": False,
diff --git a/libioc/Jail.py b/libioc/Jail.py
@@ -1616,7 +1616,7 @@ def devfs_ruleset(self) -> libioc.DevfsRules.DevfsRuleset:
         if self._dhcp_enabled is True:
             devfs_ruleset.append("add path 'bpf*' unhide")
 
-        if self._allow_mount_zfs == "1":
+        if self._allow_mount_zfs is True:
             devfs_ruleset.append("add path zfs unhide")
 
         if self.config["jail_zfs"] is True:
@@ -1643,6 +1643,12 @@ def devfs_ruleset(self) -> libioc.DevfsRules.DevfsRuleset:
             devfs_ruleset.append("add path vmm/* unhide")
             devfs_ruleset.append("add path nmdm* unhide")
 
+        if self.config["allow_usb"] is True:
+            devfs_ruleset.append("add path 'usb/*' unhide")
+            devfs_ruleset.append("add path 'usbctl' unhide")
+            for usb_device in self.config["usb_device"]:
+                devfs_ruleset.append(f"add path '{usb_device}' unhide")
+
         # create if the final rule combination does not exist as ruleset
         if devfs_ruleset not in self.host.devfs:
             self.logger.verbose("New devfs ruleset combination")
