[Bug 239393] connect(2) returns EACCESS in vnet jail

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Jul 23 05:56:25 UTC 2019 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239393

            Bug ID: 239393
           Summary: connect(2) returns EACCESS in vnet jail
           Product: Base System
           Version: 12.0-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: yuri at freebsd.org

All connect(2) calls fail in the vnet jail, for example:
> 20421 ssh      CALL  socket(PF_INET,0x1<SOCK_STREAM>,IPPROTO_TCP)
> 20421 ssh      RET   socket 3
> 20421 ssh      CALL  fcntl(0x3,F_SETFD,FD_CLOEXEC)
> 20421 ssh      RET   fcntl 0
> 20421 ssh      CALL  connect(0x3,0x8002770b0,0x10)
> 20421 ssh      STRU  struct sockaddr { AF_INET, 192.168.5.1:22 }
> 20421 ssh      RET   connect -1 errno 13 Permission denied

In jail:
> $ ifconfig
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> 	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
> 	inet 127.0.0.1 netmask 0xff000000
> 	inet6 ::1 prefixlen 128
> 	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
> 	groups: lo
> 	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
> ng0_rsnapshot: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> 	options=28<VLAN_MTU,JUMBO_MTU>
> 	ether 02:f8:e0:1a:a7:22
> 	inet 192.168.5.203 netmask 0xffffff00 broadcast 192.168.5.255
> 	inet6 fe80::f8:e0ff:fe1a:a722%ng0_rsnapshot prefixlen 64 scopeid 0x2
> 	media: Ethernet autoselect (1000baseT <full-duplex>)
> 	status: active
> 	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

ng0_rsnapshot has been created using /usr/src/share/examples/jails/jng:
> jng bridge rsnapshot sk0

ng0_rsnapshot is a netgraph-based pseudo-interface connected to ng_bridge:
> $ sudo ngctl list
> There are 4 total nodes:
>   Name: sk0bridge       Type: bridge          ID: 00000054   Num hooks: 3
>   Name: ng0_rsnapshot   Type: eiface          ID: 00000059   Num hooks: 1
>   Name: ngctl20803      Type: socket          ID: 0000005d   Num hooks: 0
>   Name: sk0             Type: ether           ID: 0000002d   Num hooks: 2

The problem:
the man page connect(2) only says that EACCESS can occur for broadcast
requests:
>      [EACCES]           An attempt is made to connect to a broadcast address
>                         (obtained through the INADDR_BROADCAST constant or the
>                         INADDR_NONE return value) through a socket that does
>                         not provide broadcast functionality.

At least this man page is wrong because it doesn't list the cause of EACCESS in
my case.

The EACCESS failure is also possibly a bug, because it's hard to see what is
wrong, why it can't connect in a normal way, or return a normal socket-specific
error code?

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list