From owner-freebsd-questions@FreeBSD.ORG Sat Aug 27 08:22:52 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 50BBE1065670 for ; Sat, 27 Aug 2011 08:22:52 +0000 (UTC) (envelope-from Devin.Teske@fisglobal.com) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) by mx1.freebsd.org (Postfix) with ESMTP id 1BA168FC0C for ; Sat, 27 Aug 2011 08:22:51 +0000 (UTC) Received: from SBHFISLREXT03 ([10.132.254.62]) by SCSFISLTC01 (8.14.3/8.14.3) with ESMTP id p7R8MplA009115 for ; Sat, 27 Aug 2011 03:22:51 -0500 Received: from sbhfisltcgw02.FNFIS.COM (Not Verified[10.132.248.122]) by SBHFISLREXT03 with MailMarshal (v6, 5, 4, 7535) id ; Sat, 27 Aug 2011 03:23:17 -0500 Received: from smtp.fisglobal.com ([10.132.206.15]) by sbhfisltcgw02.FNFIS.COM with Microsoft SMTPSVC(6.0.3790.4675); Sat, 27 Aug 2011 03:22:50 -0500 Received: from [10.0.0.104] (10.14.152.54) by smtp.fisglobal.com (10.132.206.15) with Microsoft SMTP Server (TLS) id 14.1.289.1; Sat, 27 Aug 2011 03:22:44 -0500 From: Devin Teske Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Sat, 27 Aug 2011 01:22:48 -0700 Message-ID: <3A1BA4AA-3949-4FD5-AE80-6C3436911414@fisglobal.com> To: FreeBSD Mailing List MIME-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) X-Originating-IP: [10.14.152.54] X-OriginalArrivalTime: 27 Aug 2011 08:22:50.0513 (UTC) FILETIME=[828C3010:01CC6492] Cc: Dave Robison , Devin Teske Subject: jail vnet bug X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Aug 2011 08:22:52 -0000 Hi all, Not sure if this is a bug, but I'm using 8.1-RELEASE-p4 with VIMAGE enabled= and am experiencing something odd. I set sysctl security.jail.mount_allowed=3D1 and then fire up a jail, all i= s good (jail has value of 1). I then set sysctl security.jail.enforce_statfs=3D1 and then restart the jai= l. Again, all is good (jail has value of 1). I then fire up my vimage jails, and all is bad. Values still show 0 (mount_= allowed) and 2 (enforce_statfs). So I went into the kernel and forced their default values, which appeared t= o work, but only partly. The following [undesirable] patch was enough to get enforce_statfs working: --- sys/kern/kern_jail.c.orig 2011-08-26 23:41:27.000000000 -0700+++ sys/= kern/kern_jail.c 2011-08-27 00:44:45.000000000 -0700 @@ -202,7 +202,7 @@ #define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME -#define JAIL_DEFAULT_ENFORCE_STATFS 2 +#define JAIL_DEFAULT_ENFORCE_STATFS 1 static unsigned jail_default_allow =3D JAIL_DEFAULT_ALLOW; static int jail_default_enforce_statfs =3D JAIL_DEFAULT_ENFORCE_STATFS; #if defined(INET) || defined(INET6) However, the following [equally undesirable] patch was NOT enough to get mo= unt(8) to work: @@ -4113,4 +4114,4 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mount_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, - NULL, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I", + (void *)1, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I", "Processes in jail can mount/unmount jail-friendly file systems"); Here's what I'm getting for an error... vnettest# ifconfig lo0: flags=3D8049 metric 0 mtu 16384 options=3D3 inet 127.0.0.1 netmask 0xff000000=20 epair0b: flags=3D8843 metric 0 mtu = 1500 ether XX:XX:XX:XX:XX:XX inet X.X.X.X netmask 0xffffff00 broadcast X.X.X.X vnettest# sysctl security.jail.{jailed,mount_allowed,enforce_statfs} security.jail.jailed: 1 security.jail.mount_allowed: 1 security.jail.enforce_statfs: 1 vnettest# mount build1:/repos /mnt mount_nfs: /mnt, : Operation not permitted Meanwhile, over in the jail (non-vnet): vnettest# ifconfig -l bge0 fxp0 plip0 ipfw0 lo0 epair0a bridge0 vnettest# sysctl security.jail.{jailed,mount_allowed,enforce_statfs} security.jail.jailed: 1 security.jail.mount_allowed: 0 security.jail.enforce_statfs: 1 vnettest# mount build1:/repos /mnt vnettest# df -Th Filesystem Type Size Used Avail Capacity Mounted on /dev/ad4s1f ufs 137G 4.1G 122G 3% / devfs devfs 1.0K 1.0K 0B 100% /dev build1:/repos nfs 99G 63G 29G 69% /mnt vnettest# umount /mnt vnettest# df -Th Filesystem Type Size Used Avail Capacity Mounted on /dev/ad4s1f ufs 137G 4.1G 122G 3% / devfs devfs 1.0K 1.0K 0B 100% /dev Any advice would be helpful. The core issue is that we've finally achieved = NFS mounting within a jail (many thanks to Martin Matuska for his patch), b= ut are not able to replicate our success in a vnet jail. --=20 Devin _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you. _____________