support USB in jails

Author: gronke

libioc/Config/Jail/BaseConfig.py

@@ -535,6 +535,19 @@ def _get_host_domainname(self) -> str:
         except KeyError:
             return "local"
 
+    def _get_usb_device(self) -> typing.List[str]:
+        devices = self.data["usb_device"].split()  # type: typing.List[str]
+        return devices
+
+    def _set_usb_device(
+        self,
+        value: typing.Union[typing.List[str], str]
+    ) -> None:
+        if isinstance(value, list):
+            self.data["usb_device"] = " ".join(value)
+        else:
+            self.data["usb_device"] = value
+
     def get_string(self, key: str) -> str:
         """Get the stringified value of a configuration property."""
         return self.stringify(self.__getitem__(key))

libioc/Config/Jail/Defaults.py

@@ -70,6 +70,8 @@
     "allow_mount_fdescfs": 0,
     "allow_mount_zfs": 0,
     "allow_mount_tmpfs": 0,
+    "allow_usb": 0,
+    "usb_device": ["ugen*"],
     "allow_quotas": 0,
     "allow_socket_af": 0,
     "rlimits": None,

libioc/Jail.py

@@ -1600,9 +1600,15 @@ def devfs_ruleset(self) -> libioc.DevfsRules.DevfsRuleset:
         if self._dhcp_enabled is True:
             devfs_ruleset.append("add path 'bpf*' unhide")
 
-        if self._allow_mount_zfs == "1":
+        if self._allow_mount_zfs is True:
             devfs_ruleset.append("add path zfs unhide")
 
+        if self.config["allow_usb"] is True:
+            devfs_ruleset.append("add path 'usb/*' unhide")
+            devfs_ruleset.append("add path 'usbctl' unhide")
+            for usb_device in self.config["usb_device"]:
+                devfs_ruleset.append(f"add path '{usb_device}' unhide")
+
         # create if the final rule combination does not exist as ruleset
         if devfs_ruleset not in self.host.devfs:
             self.logger.verbose("New devfs ruleset combination")