Date: Sat, 27 Aug 2011 01:22:48 -0700 From: Devin Teske <devin.teske@fisglobal.com> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Cc: Dave Robison <daver@vicor.com>, Devin Teske <dteske@vicor.com> Subject: jail vnet bug Message-ID: <3A1BA4AA-3949-4FD5-AE80-6C3436911414@fisglobal.com>
next in thread | raw e-mail | index | archive | help
Hi all, Not sure if this is a bug, but I'm using 8.1-RELEASE-p4 with VIMAGE enabled= and am experiencing something odd. I set sysctl security.jail.mount_allowed=3D1 and then fire up a jail, all i= s good (jail has value of 1). I then set sysctl security.jail.enforce_statfs=3D1 and then restart the jai= l. Again, all is good (jail has value of 1). I then fire up my vimage jails, and all is bad. Values still show 0 (mount_= allowed) and 2 (enforce_statfs). So I went into the kernel and forced their default values, which appeared t= o work, but only partly. The following [undesirable] patch was enough to get enforce_statfs working: --- sys/kern/kern_jail.c.orig 2011-08-26 23:41:27.000000000 -0700+++ sys/= kern/kern_jail.c 2011-08-27 00:44:45.000000000 -0700 @@ -202,7 +202,7 @@ #define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME -#define JAIL_DEFAULT_ENFORCE_STATFS 2 +#define JAIL_DEFAULT_ENFORCE_STATFS 1 static unsigned jail_default_allow =3D JAIL_DEFAULT_ALLOW; static int jail_default_enforce_statfs =3D JAIL_DEFAULT_ENFORCE_STATFS; #if defined(INET) || defined(INET6) However, the following [equally undesirable] patch was NOT enough to get mo= unt(8) to work: @@ -4113,4 +4114,4 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mount_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, - NULL, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I", + (void *)1, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I", "Processes in jail can mount/unmount jail-friendly file systems"); Here's what I'm getting for an error... vnettest# ifconfig lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=3D3<RXCSUM,TXCSUM> inet 127.0.0.1 netmask 0xff000000=20 epair0b: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu = 1500 ether XX:XX:XX:XX:XX:XX inet X.X.X.X netmask 0xffffff00 broadcast X.X.X.X vnettest# sysctl security.jail.{jailed,mount_allowed,enforce_statfs} security.jail.jailed: 1 security.jail.mount_allowed: 1 security.jail.enforce_statfs: 1 vnettest# mount build1:/repos /mnt mount_nfs: /mnt, : Operation not permitted Meanwhile, over in the jail (non-vnet): vnettest# ifconfig -l bge0 fxp0 plip0 ipfw0 lo0 epair0a bridge0 vnettest# sysctl security.jail.{jailed,mount_allowed,enforce_statfs} security.jail.jailed: 1 security.jail.mount_allowed: 0 security.jail.enforce_statfs: 1 vnettest# mount build1:/repos /mnt vnettest# df -Th Filesystem Type Size Used Avail Capacity Mounted on /dev/ad4s1f ufs 137G 4.1G 122G 3% / devfs devfs 1.0K 1.0K 0B 100% /dev build1:/repos nfs 99G 63G 29G 69% /mnt vnettest# umount /mnt vnettest# df -Th Filesystem Type Size Used Avail Capacity Mounted on /dev/ad4s1f ufs 137G 4.1G 122G 3% / devfs devfs 1.0K 1.0K 0B 100% /dev Any advice would be helpful. The core issue is that we've finally achieved = NFS mounting within a jail (many thanks to Martin Matuska for his patch), b= ut are not able to replicate our success in a vnet jail. --=20 Devin _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you. _____________
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A1BA4AA-3949-4FD5-AE80-6C3436911414>