From nobody Tue Jul 12 13:51:19 2022
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 161E11D02112;
	Tue, 12 Jul 2022 13:51:42 +0000 (UTC)
	(envelope-from eugen@grosbein.net)
Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Lj2H06gLQz45NR;
	Tue, 12 Jul 2022 13:51:40 +0000 (UTC)
	(envelope-from eugen@grosbein.net)
Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be forged))
	by hz.grosbein.net (8.16.1/8.16.1) with ESMTPS id 26CDpW6j093633
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Tue, 12 Jul 2022 13:51:33 GMT
	(envelope-from eugen@grosbein.net)
X-Envelope-From: eugen@grosbein.net
X-Envelope-To: 0mp@FreeBSD.org
Received: from [10.58.0.11] (dadvw [10.58.0.11] (may be forged))
	by eg.sd.rdtc.ru (8.16.1/8.16.1) with ESMTPS id 26CDpUEs093291
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT);
	Tue, 12 Jul 2022 20:51:30 +0700 (+07)
	(envelope-from eugen@grosbein.net)
Subject: Re: git: 6452fb1e87ed - main - protect.1: Document that protect(1)
 does not work in jails
To: Mateusz Piotrowski <0mp@FreeBSD.org>, src-committers@FreeBSD.org,
        dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
References: <202207112249.26BMn2M4035013@gitrepo.freebsd.org>
From: Eugene Grosbein <eugen@grosbein.net>
Message-ID: <f7bf79f5-db75-2b6b-f37c-2bd79c1409cc@grosbein.net>
Date: Tue, 12 Jul 2022 20:51:19 +0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-main@freebsd.org
X-BeenThere: dev-commits-src-main@freebsd.org
MIME-Version: 1.0
In-Reply-To: <202207112249.26BMn2M4035013@gitrepo.freebsd.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,SHORTCIRCUIT
	autolearn=disabled version=3.4.2
X-Spam-Report: 
	* -0.0 SHORTCIRCUIT No description available.
	* -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net
X-Rspamd-Queue-Id: 4Lj2H06gLQz45NR
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=none;
	spf=fail (mx1.freebsd.org: domain of eugen@grosbein.net does not designate 2a01:4f8:c2c:26d8::2 as permitted sender) smtp.mailfrom=eugen@grosbein.net
X-Spamd-Result: default: False [-2.10 / 15.00];
	R_SPF_FAIL(1.00)[-all];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	MIME_GOOD(-0.10)[text/plain];
	MLMMJ_DEST(0.00)[dev-commits-src-main,dev-commits-src-all];
	FROM_EQ_ENVFROM(0.00)[];
	MIME_TRACE(0.00)[0:+];
	R_DKIM_NA(0.00)[];
	ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE];
	RCVD_COUNT_THREE(0.00)[3];
	ARC_NA(0.00)[];
	RCVD_TLS_ALL(0.00)[];
	FROM_HAS_DN(0.00)[];
	FREEFALL_USER(0.00)[eugen];
	TO_DN_SOME(0.00)[];
	RCPT_COUNT_THREE(0.00)[4];
	DMARC_NA(0.00)[grosbein.net];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	MID_RHS_MATCH_FROM(0.00)[]
X-ThisMailContainsUnwantedMimeParts: N

12.07.2022 5:49, Mateusz Piotrowski wrote:

> The branch main has been updated by 0mp (doc, ports committer):
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=6452fb1e87ed9d00b52fa1e63e7c3a7516c9586c
> 
> commit 6452fb1e87ed9d00b52fa1e63e7c3a7516c9586c
> Author:     Mateusz Piotrowski <0mp@FreeBSD.org>
> AuthorDate: 2022-07-11 22:43:27 +0000
> Commit:     Mateusz Piotrowski <0mp@FreeBSD.org>
> CommitDate: 2022-07-11 22:47:58 +0000
> 
>     protect.1: Document that protect(1) does not work in jails
>     
>     The reason is that in order to protect a process procctl(2) needs
>     the PRIV_VM_MADV_PROTECT privilege, which is currently denied in jails
>     (see kern_jail.c).
>     
>     MFC after:      1 week
> ---
>  usr.bin/protect/protect.1 | 20 +++++++++++++++++++-
>  1 file changed, 19 insertions(+), 1 deletion(-)
> 
> diff --git a/usr.bin/protect/protect.1 b/usr.bin/protect/protect.1
> index 87a8169b1885..f67a8d9b59ea 100644
> --- a/usr.bin/protect/protect.1
> +++ b/usr.bin/protect/protect.1
> @@ -25,7 +25,7 @@
>  .\"
>  .\" $FreeBSD$
>  .\"
> -.Dd July 7, 2022
> +.Dd July 12, 2022
>  .Dt PROTECT 1
>  .Os
>  .Sh NAME
> @@ -112,6 +112,24 @@ bit is set to 1.
>  All children of this process will also be protected if
>  .Nm PI
>  bit is set to 1.
> +.Sh DIAGNOSTICS
> +.Bl -diag
> +.It "protect: procctl: Operation not permitted"
> +The
> +.Nm
> +command does not have the required permissions to protect selected processes.
> +There are many reasons why this could be the case, e.g.:
> +.Bl -dash
> +.It
> +.Nm
> +is not executed by root.
> +.It
> +.Nm
> +is executed inside a
> +.Xr jail 8 ,
> +which is not supported at the moment.
> +.El
> +.El
>  .Sh SEE ALSO
>  .Xr ps 1 ,
>  .Xr procctl 2 ,
> 
> 

Does it mean that syslogd_oomprotect="YES" in /etc/defaults/rc.conf is inappropriate for full-blown jail
and results in failure of syslogd startup in such jail with defaults?