Re: git: 6452fb1e87ed - main - protect.1: Document that protect(1) does not work in jails
- Reply: Mateusz Piotrowski : "Re: git: 6452fb1e87ed - main - protect.1: Document that protect(1) does not work in jails"
- In reply to: Mateusz Piotrowski : "git: 6452fb1e87ed - main - protect.1: Document that protect(1) does not work in jails"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 12 Jul 2022 13:51:19 UTC
12.07.2022 5:49, Mateusz Piotrowski wrote: > The branch main has been updated by 0mp (doc, ports committer): > > URL: https://cgit.FreeBSD.org/src/commit/?id=6452fb1e87ed9d00b52fa1e63e7c3a7516c9586c > > commit 6452fb1e87ed9d00b52fa1e63e7c3a7516c9586c > Author: Mateusz Piotrowski <0mp@FreeBSD.org> > AuthorDate: 2022-07-11 22:43:27 +0000 > Commit: Mateusz Piotrowski <0mp@FreeBSD.org> > CommitDate: 2022-07-11 22:47:58 +0000 > > protect.1: Document that protect(1) does not work in jails > > The reason is that in order to protect a process procctl(2) needs > the PRIV_VM_MADV_PROTECT privilege, which is currently denied in jails > (see kern_jail.c). > > MFC after: 1 week > --- > usr.bin/protect/protect.1 | 20 +++++++++++++++++++- > 1 file changed, 19 insertions(+), 1 deletion(-) > > diff --git a/usr.bin/protect/protect.1 b/usr.bin/protect/protect.1 > index 87a8169b1885..f67a8d9b59ea 100644 > --- a/usr.bin/protect/protect.1 > +++ b/usr.bin/protect/protect.1 > @@ -25,7 +25,7 @@ > .\" > .\" $FreeBSD$ > .\" > -.Dd July 7, 2022 > +.Dd July 12, 2022 > .Dt PROTECT 1 > .Os > .Sh NAME > @@ -112,6 +112,24 @@ bit is set to 1. > All children of this process will also be protected if > .Nm PI > bit is set to 1. > +.Sh DIAGNOSTICS > +.Bl -diag > +.It "protect: procctl: Operation not permitted" > +The > +.Nm > +command does not have the required permissions to protect selected processes. > +There are many reasons why this could be the case, e.g.: > +.Bl -dash > +.It > +.Nm > +is not executed by root. > +.It > +.Nm > +is executed inside a > +.Xr jail 8 , > +which is not supported at the moment. > +.El > +.El > .Sh SEE ALSO > .Xr ps 1 , > .Xr procctl 2 , > > Does it mean that syslogd_oomprotect="YES" in /etc/defaults/rc.conf is inappropriate for full-blown jail and results in failure of syslogd startup in such jail with defaults?