From owner-freebsd-jail@FreeBSD.ORG Sun Jul 4 16:25:09 2010 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 08DBD1065674 for ; Sun, 4 Jul 2010 16:25:09 +0000 (UTC) (envelope-from h.schmalzbauer@omnilan.de) Received: from stith.flb.omnilan.net (stith.flb.omnilan.net [62.245.232.135]) by mx1.freebsd.org (Postfix) with ESMTP id 30E588FC0C for ; Sun, 4 Jul 2010 16:25:07 +0000 (UTC) Received: from titan.flintsbach.schmalzbauer.de (titan.flintsbach.schmalzbauer.de [172.21.1.150]) (authenticated bits=0) by stith.flb.omnilan.net (8.13.8/8.13.8) with ESMTP id o64GATdr009621 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 4 Jul 2010 18:10:29 +0200 (CEST) (envelope-from h.schmalzbauer@omnilan.de) Message-ID: <4C30B26D.2010202@omnilan.de> Date: Sun, 04 Jul 2010 18:10:21 +0200 From: Harald Schmalzbauer Organization: OmniLAN User-Agent: Thunderbird 2.0.0.23 (X11/20090906) MIME-Version: 1.0 To: freebsd-jail@FreeBSD.org References: <4C2EEF3E.2010008@omnilan.de> <4C2EF065.2020208@omnilan.de> <20100703145827.E14969@maildrop.int.zabbadoz.net> In-Reply-To: <20100703145827.E14969@maildrop.int.zabbadoz.net> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig726F2E4126F8A43864DBF3F6" Cc: Subject: Re: selective jail restriction controlling in rc.conf X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jul 2010 16:25:09 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig726F2E4126F8A43864DBF3F6 Content-Type: multipart/mixed; boundary="------------000706030802010708000104" This is a multi-part message in MIME format. --------------000706030802010708000104 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Bjoern A. Zeeb schrieb am 03.07.2010 17:02 (localtime): =2E.. > there is currently an ongoing discussion about jail configuration on > the freebsd-jail@ mailing list: >=20 > http://lists.freebsd.org/pipermail/freebsd-jail/2010-June/thread.html#1= 308 >=20 > I think your comments (and patches) are better sent there, rather than > to stable@. Dear freebsd-jail fellows, I haven't know of that list yet, nor am I subscribesd, but I did some=20 work for me to extend rc.d/jail to acclompish with some of my needs and=20 I'd like to share it. I don't have much knowledge to join seriouse developement, I'm just=20 "playing". But I'm sure you can understand my intention of the patch and = maybe take some idea. Here's my original post to freebsd-stable@: I very much liked the possibillity to easily manage jails via rc.conf. Unfortunately I was missing some features. First, there are many security.jail.allow_* sysctl which didn't get=20 attention. Second; I needed to allow different things on different jails. For=20 example only one distinct jail should habe sysvIPC. Please find attached a patch wich extends rc.d to my needs. Some jail_start() modifications were neccessary and some cleanups could=20 be done in the "Configuring jails:" section (not needed any more) amd in = the _ip_multi processing, since that's not needed any more. One have to seperatly define ip4 and ip6 addresses. The can be with or=20 without mask, single oder comma seperated list, doesn't matter, thanks=20 to the jail_handle_ips_option() coder, it just works :) In case of comments/questions, please CC me, I'm not subscribed. Thanks, -Harry --------------000706030802010708000104 Content-Type: text/plain; name="jail-allow-selectables.patch" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline; filename="jail-allow-selectables.patch" --- src/etc/defaults/rc.conf 2010-06-28 19:22:08.000000000 +0200 +++ src/etc/defaults/rc.conf 2010-07-03 10:08:31.000000000 +0200 @@ -642,8 +642,13 @@ jail_enable=3D"NO" # Set to NO to disable starting of any jails jail_list=3D"" # Space separated list of names of jails jail_set_hostname_allow=3D"YES" # Allow root user in a jail to change it= s hostname -jail_socket_unixiproute_only=3D"YES" # Route only TCP/IP within a jail jail_sysvipc_allow=3D"NO" # Allow SystemV IPC use from within a jail +jail_socket_unixiproute_only=3D"YES" # Route only TCP/IP within a jail +jail_raw_sockets_allow=3D"NO" # Prison root can create raw sockets +jail_chflags_allow=3D"NO" # Processes in jail can alter system file flag= s +jail_mount_allow=3D"NO" # Processes in jail can mount/unmount jail-frien= dly file systems +jail_quotas_allow=3D"NO" # The prison root may administer quotas on the = jail's filesystem(s) +socket_af_allow=3D"NO" # Sockets within a jail are normally restricted t= o IPv4, IPv6, local (UNIX), and route. =20 # # To use rc's built-in jail infrastructure create entries for @@ -658,8 +663,8 @@ #jail_example_hostname=3D"default.domain.com" # Jail's hostname #jail_example_interface=3D"" # Jail's interface variable to create IP = aliases on #jail_example_fib=3D"0" # Routing table for setfib(1) -#jail_example_ip=3D"192.0.2.10,2001:db8::17" # Jail's primary IPv4 and I= Pv6 address -#jail_example_ip_multi0=3D"2001:db8::10" # and another IPv6 address +#jail_example_ip4=3D"192.0.2.10/24,10.1.2.3" # Jail's IPv4 address(es) +#jail_example_ip6=3D"2001:db8::10,fec0::0:1:2:3" # Jail's IPv6 address(= es) #jail_example_exec_start=3D"/bin/sh /etc/rc" # command to execute in ja= il for starting #jail_example_exec_afterstart0=3D"/bin/sh command" # command to execute = after the one for # starting the jail. More than one can be @@ -672,6 +677,14 @@ #jail_example_procfs_enable=3D"NO" # mount procfs in jail #jail_example_mount_enable=3D"NO" # mount/umount jail's fs #jail_example_fstab=3D"" # fstab(5) for mount/umount +#jail_example_allow_set_hostname=3D"NO" # This jail can set hostname +#jail_example_allow_sysvipc=3D"NO" # This jail can use SystemV IPC +#jail_example_allow_raw_sockets=3D"NO" # This jail can create raw socke= ts (ping) +#jail_example_allow_chflags=3D"NO" # This jail can alter it's filesyste= m flags +#jail_example_allow_mount=3D"NO" # This jail can mount jail friendly f= ilesystems +#jail_example_allow_quotas=3D"NO" # This jail can modify quotas on it'= s filesystems +#jail_example_allow_socket_af=3D"NO" # This jail can use other protocol= stacks than IP4, IP6 and local + #jail_example_flags=3D"-l -U root" # flags for jail(8) =20 ############################################################## --- src/etc/rc.d/jail 2010-06-28 19:22:11.000000000 +0200 +++ src/etc/rc.d/jail 2010-07-03 10:02:34.000000000 +0200 @@ -21,6 +21,8 @@ start_cmd=3D"jail_start" stop_cmd=3D"jail_stop" =20 +jail_restrictions=3D"set_hostname sysvipc raw_sockets chflags mount quot= as socket_af" + # init_variables _j # Initialize the various jail variables for jail _j. # @@ -38,7 +40,8 @@ _fdescdir=3D"${_devdir}/fd" _procdir=3D"${_rootdir}/proc" eval _hostname=3D\"\$jail_${_j}_hostname\" - eval _ip=3D\"\$jail_${_j}_ip\" + eval _ip4=3D\"\$jail_${_j}_ip4\" + eval _ip6=3D\"\$jail_${_j}_ip6\" eval _interface=3D\"\${jail_${_j}_interface:-${jail_interface}}\" eval _exec=3D\"\$jail_${_j}_exec\" =20 @@ -122,8 +125,9 @@ debug "$_j procfs enable: $_procfs" debug "$_j mount enable: $_mount" debug "$_j hostname: $_hostname" - debug "$_j ip: $_ip" - jail_show_addresses ${_j} + debug "$_j ip4: $_ip4" + debug "$_j ip6: $_ip6" +# jail_show_addresses ${_j} debug "$_j interface: $_interface" debug "$_j fib: $_fib" debug "$_j root: $_rootdir" @@ -347,27 +351,27 @@ # Debug print the input for the given _multi aliases # for a jail for init_variables(). # -jail_show_addresses() -{ - local _j _type alias - _j=3D"$1" - alias=3D0 - - if [ -z "${_j}" ]; then - warn "jail_show_addresses: you must specify a jail" - return - fi - - while : ; do - eval _addr=3D\"\$jail_${_j}_ip_multi${alias}\" - if [ -n "${_addr}" ]; then - debug "${_j} ip_multi${alias}: $_addr" - alias=3D$((${alias} + 1)) - else - break - fi - done -} +#jail_show_addresses() +#{ +# local _j _type alias +# _j=3D"$1" +# alias=3D0 +# +# if [ -z "${_j}" ]; then +# warn "jail_show_addresses: you must specify a jail" +# return +# fi +# +# while : ; do +# eval _addr=3D\"\$jail_${_j}_ip_multi${alias}\" +# if [ -n "${_addr}" ]; then +# debug "${_j} ip_multi${alias}: $_addr" +# alias=3D$((${alias} + 1)) +# else +# break +# fi +# done +#} =20 # jail_extract_address argument # The second argument is the string from one of the _ip @@ -481,20 +485,26 @@ *) ;; esac =20 - # Append address to list of addresses for the jail command. - case "${_addrl}" in - "") _addrl=3D"${_addr}" ;; - *) _addrl=3D"${_addrl},${_addr}" ;; - esac - # Configure interface alias if requested by a given interface # and if we could correctly parse everything. case "${_iface}" in "") continue ;; esac case "${_type}" in - inet) ;; - inet6) ;; + inet) {=09 + # Append address to list of addresses for the jail command. + case "${_addrl4}" in + "") _addrl4=3D"${_addr}" ;; + *) _addrl4=3D"${_addrl4},${_addr}" ;; + esac + };; + inet6) { + # Append address to list of addresses for the jail command. + case "${_addrl6}" in + "") _addrl6=3D"${_addr}" ;; + *) _addrl6=3D"${_addrl6},${_addr}" ;; + esac + };; *) warn "Could not determine address family. Not going" \ "to ${_action} address '${_addr}' for ${_jail}." continue @@ -531,18 +541,18 @@ esac =20 # Handle addresses. - jail_handle_ips_option ${_action} "${_ip}" + jail_handle_ips_option ${_action} "${_ip4},${_ip6}" # Handle jail_xxx_ip_multi - alias=3D0 - while : ; do - eval _x=3D\"\$jail_${_jail}_ip_multi${alias}\" - case "${_x}" in - "") break ;; - *) jail_handle_ips_option ${_action} "${_x}" - alias=3D$((${alias} + 1)) - ;; - esac - done +# alias=3D0 +# while : ; do +# eval _x=3D\"\$jail_${_jail}_ip4_multi${alias}\" +# case "${_x}" in +# "") break ;; +# *) jail_handle_ips_option ${_action} "${_x}" +# alias=3D$((${alias} + 1)) +# ;; +# esac +# done } =20 jail_start() @@ -566,7 +576,8 @@ echo -n " [${_hostname} already running (/var/run/jail_${_jail}.id ex= ists)]" continue; fi - _addrl=3D"" + _addrl4=3D"" + _addrl6=3D"" jail_ips "add" if [ -n "${_fib}" ]; then _setfib=3D"setfib -F '${_fib}'" @@ -625,6 +636,15 @@ fi fi fi + _j_allow_parms=3D"" + for relax in ${jail_restrictions}; do + eval _param_allow=3D\"\${jail_${_jail}_allow_${relax}:-\${jail_allow_= $relax}}\" + [ -z "${_param_allow}" ] && _param_allow=3D"NO" + checkyesno _param_allow && \ + _j_allow_parms=3D"${_j_allow_parms}allow.${relax}=3D1 "=20 + debug "$_jail _allow_${relax}: $_param_allow" + done + debug "$_jail selectiv relaxation: $_j_allow_parms" _tmp_jail=3D${_tmp_dir}/jail.$$ =20 i=3D0 @@ -634,9 +654,10 @@ ${out} i=3D$((i + 1)) done - - eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \ - \"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1 + =09 + eval ${_setfib} jail ${_flags} -i -c name=3D${_jail}\ + path=3D${_rootdir} host.hostname=3D${_hostname} \ + ip4.addr=3D${_addrl4} ip6.addr=3D${_addrl6} ${_j_allow_parms} command= =3D${_exec_start} > ${_tmp_jail} 2>&1 =20 if [ "$?" -eq 0 ] ; then _jail_id=3D$(head -1 ${_tmp_jail}) --------------000706030802010708000104-- --------------enig726F2E4126F8A43864DBF3F6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) iEYEARECAAYFAkwwsnUACgkQLDqVQ9VXb8jDKQCfWcQ8GZUofkq0tSqiBtehDEnU hjQAnjMrjp0TlOFW/J7dVZN85tBcqpj+ =+NfL -----END PGP SIGNATURE----- --------------enig726F2E4126F8A43864DBF3F6-- From owner-freebsd-jail@FreeBSD.ORG Mon Jul 5 11:06:57 2010 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 855A5106564A for ; Mon, 5 Jul 2010 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 73DD48FC14 for ; Mon, 5 Jul 2010 11:06:57 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o65B6vf8079238 for ; Mon, 5 Jul 2010 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o65B6ujg079236 for freebsd-jail@FreeBSD.org; Mon, 5 Jul 2010 11:06:56 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 5 Jul 2010 11:06:56 GMT Message-Id: <201007051106.o65B6ujg079236@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jul 2010 11:06:57 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/147162 jail [jail] [panic] Page Fault / Kernel panic when jail sta s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 7 problems total. From owner-freebsd-jail@FreeBSD.ORG Wed Jul 7 22:14:18 2010 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8BC5A1065674 for ; Wed, 7 Jul 2010 22:14:18 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [208.92.232.93]) by mx1.freebsd.org (Postfix) with ESMTP id 530B98FC1C for ; Wed, 7 Jul 2010 22:14:18 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by gritton.org (8.14.3/8.14.3) with ESMTP id o67MEGLv029604; Wed, 7 Jul 2010 16:14:17 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <4C34FB9C.8020404@FreeBSD.org> Date: Wed, 07 Jul 2010 16:11:40 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.5) Gecko/20100103 Thunderbird/3.0 MIME-Version: 1.0 To: Harald Schmalzbauer , freebsd-jail@FreeBSD.org References: <4C2EEF3E.2010008@omnilan.de> <4C2EF065.2020208@omnilan.de> <20100703145827.E14969@maildrop.int.zabbadoz.net> <4C30B26D.2010202@omnilan.de> In-Reply-To: <4C30B26D.2010202@omnilan.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: selective jail restriction controlling in rc.conf X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jul 2010 22:14:18 -0000 On 07/04/10 10:10, Harald Schmalzbauer wrote: > Dear freebsd-jail fellows, > > I haven't know of that list yet, nor am I subscribesd, but I did some > work for me to extend rc.d/jail to acclompish with some of my needs and > I'd like to share it. > I don't have much knowledge to join seriouse developement, I'm just > "playing". But I'm sure you can understand my intention of the patch and > maybe take some idea. > > Here's my original post to freebsd-stable@: > > I very much liked the possibillity to easily manage jails via rc.conf. > Unfortunately I was missing some features. > First, there are many security.jail.allow_* sysctl which didn't get > attention. > Second; I needed to allow different things on different jails. For > example only one distinct jail should habe sysvIPC. > > Please find attached a patch wich extends rc.d to my needs. > Some jail_start() modifications were neccessary and some cleanups could > be done in the "Configuring jails:" section (not needed any more) amd in > the _ip_multi processing, since that's not needed any more. > One have to seperatly define ip4 and ip6 addresses. The can be with or > without mask, single oder comma seperated list, doesn't matter, thanks > to the jail_handle_ips_option() coder, it just works :) The new jail(8) syntax is able handle your second concern, allowing features on only some jails. I'm currently working on an update that will use a jail.conf file instead of the rc-based shell variables currently in use; because of that, there are no plans to keep hacking on the rc variables. As for the first concern, the sysctl.jail.allow_* sysctls, those are obsoleted by the new jail system as well. While they will continue to exist in the (at least near) future, they're being deprecated for just the reason you mention, that they don't allow per-jail control. - Jamie