DF-0165 / run.log
---- jail default policy (should all be 0): ----
jail.defaults.allow_raw_sockets: 0
jail.defaults.vfs_mount_nullfs: 0
jail.defaults.vfs_mount_tmpfs: 0
jail.defaults.vfs_mount_devfs: 0
jail.defaults.vfs_mount_procfs: 0
---- running bypass as root (will create + enter jail): ----
jail() ok: jid=11 (now jailed as uid=0)
=== DF-0165 demo: cap-gated actions inside jail ===
(jail default policy: allow_raw_sockets=0,
vfs_mount_{nullfs,tmpfs,devfs,procfs}=0 -> all should EPERM)
socket(AF_INET, SOCK_RAW, IPPROTO_RAW) [SYSCAP_NONET_RAW]
-> OK fd=3 *** BYPASS ***
mount("tmpfs", /tmp/df0165-mnt-tmpfs) [SYSCAP_NOMOUNT_TMPFS]
-> OK *** BYPASS ***
mount("null", /tmp/df0165-mnt-nullfs) [SYSCAP_NOMOUNT_NULLFS]
-> OK *** BYPASS ***
mount("devfs", /tmp/df0165-mnt-devfs) [SYSCAP_NOMOUNT_DEVFS]
-> OK *** BYPASS ***
mount("procfs", /tmp/df0165-mnt-procfs) [SYSCAP_NOMOUNT_PROCFS]
-> OK *** BYPASS ***
=== end: 5 cap-gated action(s) bypassed jail policy ===
RC=0
OUTER_RC=0