From owner-freebsd-jail@FreeBSD.ORG Tue Jan 15 05:03:12 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 254D865E for ; Tue, 15 Jan 2013 05:03:12 +0000 (UTC) (envelope-from ike@blackskyresearch.net) Received: from rs149.luxsci.com (rs149.luxsci.com [64.49.224.181]) by mx1.freebsd.org (Postfix) with ESMTP id DCB00855 for ; Tue, 15 Jan 2013 05:03:11 +0000 (UTC) Received: from rs149.luxsci.com (localhost.localdomain [127.0.0.1]) by rs149.luxsci.com (8.14.4/8.13.8) with ESMTP id r0F52v0H001453; Tue, 15 Jan 2013 00:02:57 -0500 Received: (from root@localhost) by rs149.luxsci.com (8.14.4/8.13.8/Submit) id r0F522DQ000456; Tue, 15 Jan 2013 05:02:02 GMT Received: (from sender 74627) (rs149.luxsci.com [127.0.0.1]) by LuxSci SP; Tue, 15 Jan 2013 05:02:02 +0000 Subject: Re: building with "CLANG" Content-Type: text/plain; charset=windows-1252 From: "Isaac (.ike) Levy" In-Reply-To: <191d7b2570889a980a349b588e6a93ed@ahhyes.net> Date: Tue, 15 Jan 2013 00:01:53 -0500 Content-Transfer-Encoding: quoted-printable References: <6ada79496d6ff60271992bdcc44a1882@ahhyes.net> <191d7b2570889a980a349b588e6a93ed@ahhyes.net> To: other@ahhyes.net X-Lux-Comment: Message r0F51rmE000344 sent by user #74627 Message-Id: <1358226122-1532940.73545663.fr0F51rmE000344@rs149.luxsci.com> X-Comment: LuxSci SP Message ID - 1358226122-1532940.73545663 Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jan 2013 05:03:12 -0000 Hi Guys, I can't bring myself to top-post on a BSD list,=20 And I'm in a particularly verbose mood as I debug an unrelated nasty = mess, On Jan 14, 2013, at 9:30 PM, other@ahhyes.net wrote: >=20 >=20 > Hi Alexus,=20 >=20 > I could, but it's going to be time consuming. There is > almost no clues (even with a google search) on what this option does. = I > am waiting to know if I can safely keep going the way I am and not = have > any serious problems. I updated the base OS ok, I just reinstalled = world > for one of my jails and ran mergemaster also to update it. Didn't have > any major issues however I noticed the NO_FSCHG=3D business in the > article.=20 >=20 > Would be nice if someone could document what the hell > NO_FSCHG=3D does..=20 >=20 In-deed! -- Deal is, after groking some source, I *believe* this signals clang not = to set particular files with the immutable 'schg' flag when installing = world to your $DESTDIR. Please try following up with the page author. (Perhaps jump in the Clang IRC channel listed on the page, and try to = ask the wiki page author?) -- If I am correct: I've not been down the clang jails path yet, (exciting!), but I'm = assuming this is a new convenience feature tossed in, with interesting = ramifications=85 The old days with jail: /rm -rf /path/to/jail/dir - This would fail without first recursively un-setting the schg = immutable flags on files in the filesystem. (UNIX newbs hit list, make new friends, and learn the power of = chflags(1)) So, NO_FSCHG is either extremely convenient, or extremely dangerous- = depending on what kind of packets reach your jailed interface=85 Why does this matter with jail(8)? With this convenience, much (if not all) of the functionally of the '-s' = flag in jail(8) is lost ! -s securelevel Set the kern.securelevel MIB entry to the specified value = inside the newly created jail. This is deprecated and is = equivalent to setting the securelevel parameter. -- This fun, goes way back, = http://seann.herdejurgen.com/resume/samag.com/html/v10/i05/a4.htm Basically, one could fork bomb the machine, rendering all jailed systems = useless- and BSD Secure Levels + login.conf in the jails were the = ultimate fix. Except back then, we didn't have the -s flag, (had to reboot a machine = into a higher secure level to get this kind of protection, pretty = inflexible, so it was rarely applied). Rocket- .ike =20 >>> I recently tried to give CLANG a go with > rebuilding the system (9.0-RELEASE to 9.1-RELEASE). Having read: > https://wiki.freebsd.org/BuildingFreeBSDWithClang [1] everything seems > to be working ok. >>>=20 >>> I noticed something in the document that got me > concerned: >>>=20 >>> # Don't forget this when using Jails! >>> NO_FSCHG=3D >>>=20 >=20 >>> There is a suggestion to add the above to src.conf -- Can someone > please explain what this does? Having forgotten to do this, am I going > to have any major problems? >>>=20 >>> Alex.