Date: Tue, 9 Jun 2009 20:44:13 -0400 From: Edwin Shao <eshao@andrew.cmu.edu> To: freebsd-jail@freebsd.org Subject: sysctl variables not propagating to children jails Message-ID: <17ca67550906091744p55fe0748h8f39bb326b05b06f@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi, In the most recent -current, I've noticed that sysctl variables no longer propagate to jails and thus it is impossible to allow raw sockets, allow mounting, etc. This might be related to <http://www.mail-archive.com/freebsd-jail@freebsd.org/msg00847.html>. For example, in parent: hyper ~> sysctl security security.jail.param.cpuset.id: 0 security.jail.param.host.hostid: 0 security.jail.param.host.hostuuid: 64 security.jail.param.host.domainname: 256 security.jail.param.host.hostname: 256 security.jail.param.enforce_statfs: 0 security.jail.param.securelevel: 0 security.jail.param.path: 1024 security.jail.param.name: 256 security.jail.param.parent: 0 security.jail.param.jid: 0 security.jail.enforce_statfs: 2 security.jail.mount_allowed: 1 security.jail.chflags_allowed: 0 security.jail.allow_raw_sockets: 1 security.jail.sysvipc_allowed: 0 security.jail.socket_unixiproute_only: 1 security.jail.set_hostname_allowed: 0 security.jail.jail_max_af_ips: 255 security.jail.jailed: 0 In child: t# sysctl security security.jail.param.cpuset.id: 0 security.jail.param.host.hostid: 0 security.jail.param.host.hostuuid: 64 security.jail.param.host.domainname: 256 security.jail.param.host.hostname: 256 security.jail.param.enforce_statfs: 0 security.jail.param.securelevel: 0 security.jail.param.path: 1024 security.jail.param.name: 256 security.jail.param.parent: 0 security.jail.param.jid: 0 security.jail.enforce_statfs: 0 security.jail.mount_allowed: 0 security.jail.chflags_allowed: 0 security.jail.allow_raw_sockets: 0 security.jail.sysvipc_allowed: 0 security.jail.socket_unixiproute_only: 1 security.jail.set_hostname_allowed: 1 security.jail.jail_max_af_ips: 255 security.jail.jailed: 1 security.bsd.suser_enabled: 1 security.bsd.unprivileged_proc_debug: 1 security.bsd.conservative_signals: 1 security.bsd.see_other_gids: 1 security.bsd.see_other_uids: 1 security.bsd.unprivileged_read_msgbuf: 1 security.bsd.hardlink_check_gid: 0 security.bsd.hardlink_check_uid: 0 security.bsd.unprivileged_get_quota: 0 In my messages log: 944 Jun 9 20:10:26 hyper root: /etc/rc.d/jail: DEBUG: checkyesno: jail_enable is set to YES. 945 Jun 9 20:10:26 hyper root: /etc/rc.d/jail: DEBUG: run_rc_command: doit: jail_start 946 Jun 9 20:10:26 hyper root: /etc/rc.d/jail: DEBUG: checkyesno: jail_set_hostname_allow is set to NO. 947 Jun 9 20:10:26 hyper root: /etc/rc.d/jail: DEBUG: checkyesno: jail_socket_unixiproute_only is set to YES. 948 Jun 9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: checkyesno: jail_sysvipc_allow is set to NO. 949 Jun 9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t devfs enable: YES 950 Jun 9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t fdescfs enable: YES 951 Jun 9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t procfs enable: YES 952 Jun 9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t mount enable: YES 953 Jun 9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t hostname: t 954 Jun 9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t ip: 10.0.0.10 955 Jun 9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t interface: 956 Jun 9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t fib: 957 Jun 9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t root: /usr/jails/t 958 Jun 9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t devdir: /usr/jails/t/dev 959 Jun 9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t fdescdir: /usr/jails/t/dev/fd 960 Jun 9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t procdir: /usr/jails/t/proc 961 Jun 9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t ruleset: devfsrules_jail 962 Jun 9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t fstab: /etc/fstab.t 963 Jun 9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t consolelog: /var/log/jail_t_console.log 964 Jun 9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t exec start: /bin/sh /etc/rc 965 Jun 9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t exec stop: 966 Jun 9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t flags: -l -U root 967 Jun 9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t consolelog: /var/log/jail_t_console.log This is using: hyper ~> uname -a FreeBSD hyper.nekogiri.com 8.0-CURRENT FreeBSD 8.0-CURRENT #0 r193627: Sun Jun 7 06:11:17 EDT 2009 root@hyper.nekogiri.com:/usr/obj/usr/home/eshao/wsp/freebsd/src/sys/XENNEKO i386 I noticed this problem when upgrading past this revision: http://svn.freebsd.org/viewvc/base?view=revision&revision=192895 Please let me know if I'm doing something stupid! Or if you need more debugging output.. Thanks, Edwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17ca67550906091744p55fe0748h8f39bb326b05b06f>