sysctl variables not propagating to children jails

Edwin Shao eshao at andrew.cmu.edu
Wed Jun 10 01:15:26 UTC 2009 

Hi,

In the most recent -current, I've noticed that sysctl variables no
longer propagate to jails and thus it is impossible to allow raw
sockets, allow mounting, etc. This might be related to
<http://www.mail-archive.com/freebsd-jail@freebsd.org/msg00847.html>.

For example, in parent:
hyper ~> sysctl security
security.jail.param.cpuset.id: 0
security.jail.param.host.hostid: 0
security.jail.param.host.hostuuid: 64
security.jail.param.host.domainname: 256
security.jail.param.host.hostname: 256
security.jail.param.enforce_statfs: 0
security.jail.param.securelevel: 0
security.jail.param.path: 1024
security.jail.param.name: 256
security.jail.param.parent: 0
security.jail.param.jid: 0
security.jail.enforce_statfs: 2
security.jail.mount_allowed: 1
security.jail.chflags_allowed: 0
security.jail.allow_raw_sockets: 1
security.jail.sysvipc_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 0
security.jail.jail_max_af_ips: 255
security.jail.jailed: 0

In child:
t# sysctl security
security.jail.param.cpuset.id: 0
security.jail.param.host.hostid: 0
security.jail.param.host.hostuuid: 64
security.jail.param.host.domainname: 256
security.jail.param.host.hostname: 256
security.jail.param.enforce_statfs: 0
security.jail.param.securelevel: 0
security.jail.param.path: 1024
security.jail.param.name: 256
security.jail.param.parent: 0
security.jail.param.jid: 0
security.jail.enforce_statfs: 0
security.jail.mount_allowed: 0
security.jail.chflags_allowed: 0
security.jail.allow_raw_sockets: 0
security.jail.sysvipc_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 1
security.jail.jail_max_af_ips: 255
security.jail.jailed: 1
security.bsd.suser_enabled: 1
security.bsd.unprivileged_proc_debug: 1
security.bsd.conservative_signals: 1
security.bsd.see_other_gids: 1
security.bsd.see_other_uids: 1
security.bsd.unprivileged_read_msgbuf: 1
security.bsd.hardlink_check_gid: 0
security.bsd.hardlink_check_uid: 0
security.bsd.unprivileged_get_quota: 0

In my messages log:
 944 Jun  9 20:10:26 hyper root: /etc/rc.d/jail: DEBUG: checkyesno:
jail_enable is set to YES.
 945 Jun  9 20:10:26 hyper root: /etc/rc.d/jail: DEBUG:
run_rc_command: doit: jail_start
 946 Jun  9 20:10:26 hyper root: /etc/rc.d/jail: DEBUG: checkyesno:
jail_set_hostname_allow is set to NO.
 947 Jun  9 20:10:26 hyper root: /etc/rc.d/jail: DEBUG: checkyesno:
jail_socket_unixiproute_only is set to YES.
 948 Jun  9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: checkyesno:
jail_sysvipc_allow is set to NO.
 949 Jun  9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t devfs enable: YES
 950 Jun  9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t fdescfs enable: YES
 951 Jun  9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t procfs enable: YES
 952 Jun  9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t mount enable: YES
 953 Jun  9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t hostname: t
 954 Jun  9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t ip: 10.0.0.10
 955 Jun  9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t interface:
 956 Jun  9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t fib:
 957 Jun  9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t root: /usr/jails/t
 958 Jun  9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t devdir:
/usr/jails/t/dev
 959 Jun  9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t fdescdir:
/usr/jails/t/dev/fd
 960 Jun  9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t procdir:
/usr/jails/t/proc
 961 Jun  9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t ruleset:
devfsrules_jail
 962 Jun  9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t fstab: /etc/fstab.t
 963 Jun  9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t consolelog:
/var/log/jail_t_console.log
 964 Jun  9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t exec start:
/bin/sh /etc/rc
 965 Jun  9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t exec stop:
 966 Jun  9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t flags: -l -U root
 967 Jun  9 20:10:27 hyper root: /etc/rc.d/jail: DEBUG: t consolelog:
/var/log/jail_t_console.log


This is using:
hyper ~> uname -a
FreeBSD hyper.nekogiri.com 8.0-CURRENT FreeBSD 8.0-CURRENT #0 r193627:
Sun Jun  7 06:11:17 EDT 2009
root at hyper.nekogiri.com:/usr/obj/usr/home/eshao/wsp/freebsd/src/sys/XENNEKO
 i386

I noticed this problem when upgrading past this revision:
http://svn.freebsd.org/viewvc/base?view=revision&revision=192895

Please let me know if I'm doing something stupid! Or if you need more
debugging output..

Thanks,
Edwin

More information about the freebsd-jail mailing list