From nobody Thu Jun 01 10:24:31 2023 X-Original-To: arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QX2MN1vmjz4YG38 for ; Thu, 1 Jun 2023 10:25:20 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "mailgate.leidinger.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QX2ML38GZz42NN for ; Thu, 1 Jun 2023 10:25:18 +0000 (UTC) (envelope-from Alexander@leidinger.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=leidinger.net header.s=outgoing-alex header.b=DgVgPtBq; spf=pass (mx1.freebsd.org: domain of Alexander@leidinger.net designates 2a00:1828:2000:313::1:5 as permitted sender) smtp.mailfrom=Alexander@leidinger.net; dmarc=pass (policy=quarantine) header.from=leidinger.net Date: Thu, 01 Jun 2023 12:24:31 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net; s=outgoing-alex; t=1685615105; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=CodLhLjcPK/YK0FLwYgcKBBHe08dGaN1lBsqL11/r9U=; b=DgVgPtBq02wV73dezQDm1Ft9Enx1nEZEk2/AQpGlEtcbmJlMJIHy6w8K502/ketHfKv3N3 M98/ELksEBgH1Obt/QvECeJHYTAABxnNhrvH7SndXObICsMIdjyYG4rOLt2PDDdeWXPEXE WnsY4lq/MBVSEtPp97azFJh9gZGpdQ0biI2KdxojMdTbACj/+jBMYPP2LYT4WJl2GWjASR rNy+9FX/r6gp2P+6nyfdF+N3b4V1hgXCye14GBcoD4RCDb2gzIG2758TjGgI6RMrAw8mRH 24iiJLWT3CypEyHOvp8MfKUEJX4Oyp1tiv7ZJdbwMvnFLPdSDkkbJmtngAwv6w== Message-ID: <20230601122431.Horde.mmXZpnuf9SpQYXzs4Mrw_Ek@webmail.leidinger.net> From: Alexander Leidinger To: arch@freebsd.org Subject: Automatic service jails - review request Accept-Language: de,en Content-Type: multipart/signed; boundary="=_LyOUneTyLa3Tz54bf095DeW"; protocol="application/pgp-signature"; micalg=pgp-sha256 List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 X-Spamd-Result: default: False [-6.07 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-0.998]; NEURAL_HAM_SHORT(-0.98)[-0.977]; DMARC_POLICY_ALLOW(-0.50)[leidinger.net,quarantine]; R_DKIM_ALLOW(-0.20)[leidinger.net:s=outgoing-alex]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; R_SPF_ALLOW(-0.20)[+mx]; MLMMJ_DEST(0.00)[arch@freebsd.org]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; MIME_TRACE(0.00)[0:+,1:+,2:~]; BLOCKLISTDE_FAIL(0.00)[2a00:1828:2000:313::1:5:server fail]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[leidinger.net:+]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; ASN(0.00)[asn:34240, ipnet:2a00:1828::/32, country:DE] X-Rspamd-Queue-Id: 4QX2ML38GZz42NN X-Spamd-Bar: ------ X-ThisMailContainsUnwantedMimeParts: N This message is in MIME format and has been PGP signed. --=_LyOUneTyLa3Tz54bf095DeW Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, I implemented a functionality which allows to automatically put rc.d=20=20 services=20into jails. They inherit the same filesystem, and maybe the=20= =20 same=20network / jailed sysvipc / ..., so it's not the same isolation as=20= =20 a=20manual jail with a separate filesystem, but at least you can=20=20 restrict=20access to sysvpic, parts of net, ..., and unrelated processes=20= =20 automatically=20(1-2 config lines in rc.conf). The included man-page=20=20 change=20contains more info. I'm intentionally a bit less verbose here,=20= =20 as=20this is also a test to see if the man page is good enough to=20=20 describe=20this. I have put up some reviews in Phabricator: - https://reviews.freebsd.org/D40369 -> Extend /usr/bin/service with the possibility to set ENV vars This is a pre-req for the functionality. - https://reviews.freebsd.org/D40370 -> The implementation. - https://reviews.freebsd.org/D40371 -> Additional config for /some/ basesystem services (e.g. allow=20=20 network=20access for syslogd). The /usr/bin/service change is something which also helps in=20=20 developing/debugging=20rc.d scripts in general. I think it could be=20=20 committed=20before the branch of 14-stable (and as such would then allow=20= =20 an=20easy MFC of the implementation later). The other two reviews may need some revisions (and the 3rd may benefit=20= =20 from=20further changes to services (which can come in later) I don't=20=20 have=20in use myself or haven't had the time to have a look at it), but=20= =20 I=20have those changes running since some years and I should try to get=20= =20 them=20out the door. Peer review/pressure may help here... :) Note, this is the second implmementation which uses an env var to=20=20 track=20state (much simpler code than the first implementation), whereas=20= =20 the=20first implementation tried to use different commands=20=20 ("startjailed/stopjailed")=20to track state. It would be nice if some people with insight into /etc/rc would have a=20= =20 look=20at D40369 and D40370, and everyone interested in this=20=20 functionality=20into the man pages and whatever kind of area they can=20=20 provide=20some insight into. Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_LyOUneTyLa3Tz54bf095DeW Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIzBAABCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmR4cd8ACgkQEg2wmwP4 2IYsyA//fhpvlBK8gsaBCQ7P+vdCj0A6Z2Rg6INDIdtXZZOzSYW9pt9NbkuRXiHq B8YebnesjYXEtMMl1G6rguQ4OK7u1Uul6x8okMOCXn2WoE+UuoScDbaINKlwtEmK lt869NQG+cPpBaAZSE3NBMMlBCRhgn7LSuKpUdcv5CKr6R6BKa7HWB6YeqOILpRF y2eLtbRMqBQK+zGuWSVgky3po7rtmFJtS16xgUgKejNq+ob5/fpxPXHAR68y1cbr HZevNh9W15DqGafnyL5xEZJb/GCSZm7XAKe9t389O1B8+fcPxgrl7iSgc6KBcbJr ae7glRGSfFI01Mc1Hj7lsvwcR4TLOulJhj7l1HFvo7jOLiHy88EYsfaaIsl02YLM Atx+1eH/Jwz8fIfqNZ088GfflGVKr61/Kceqjszfnrr+RfrD1n+A99EnC59dEika CIDdb00eWMidOZhJ+ZWHpcg4ecds3dPKiaJkaqztDOaeA88HNeEtdkrT59MSvB30 mYsAU0uFGv351nOXb9zqTuQbcvM0nEVCwRBNfCJ9LIEWIfwRYZDxvFxW+MLXqTeJ HzYHg2VBzq64Gh4o1j5X4dQ1pecQEGYrMcRVTmwzZU3yB+C+9cioUx87QGh8xDqn b+d/a6onHzOPpiwvs2//Zdr0CpZAeEGfitnUZnpebgRDkuq5trU= =2ahY -----END PGP SIGNATURE----- --=_LyOUneTyLa3Tz54bf095DeW--