ZFS and Jail :: nullfs mount :: nothing visible from host

SK fbstable at cps-intl.org
Fri Dec 9 10:13:00 UTC 2016 

On 08/12/2016 20:42, Miroslav Lachman wrote:
> SK wrote on 2016/12/08 20:13:
>
>> Initially they were not visible from within the jail, but as I ran
>> zfs jail testJail gT/JailS/testJail
>> they were visible from inside.
>
> You can add zfs jail testJail gT/JailS/testJail to your jail.conf post 
> exec so it will be executed automatically.
>
Good morning Miroslav, apologies for the delayed response -- went home 
last night since the brain was going into "sleep" mode :P


done that, with a variable so they fit right into whatever jail it is 
run from :D. Thanks for the pointer.

>> root at testJail:/ # zfs create gT/JailS/testJail/test
>> *cannot create 'gT/JailS/testJail/test': permission denied*
>> root at testJail:/ # exit
>
> zfs list is good start. I never used zfs from within jail so I cannot 
> comment on permission denied. I don't know what more must be done.
>
I'm not sure which list you are referring to. I could not find any zfs 
list in FreeBSD mailing list lists

>
> Send us `sysctl security.jail` from host and from jail too.
>
>
Giving the sysctl values later in the email, just one other thing in 
case someone does not want to see them but would still be interested on 
what I am trying to achieve.

Right now, as it stands, I can make do with what I have achieved -- 
i.e., I can manage the zfs datasets from /outside/ of jail while the 
newly created datasets are still visible /inside/ the jail.

But, what I would really like to have

a) ONLY the relevant datasets for a jail are visible and can be 
manipulated from within the jail. I do not mind if they are visible from 
host (in fact, I might prefer that -- not manipulate, just see and maybe 
take snapshot of what is there -- helps in centralizing backups). But 
the Jails /must not/ see each others' datasets

b) if that is not achievable, maybe not allow the jails to see the 
complete dataset hierarchy -- just make them feel that they are where 
they are in a root, but still be able to create datasets that would 
magically show up in the respective jails. This way, the total control 
is from the host itself, where no one has access to, but the datasets 
are restricted to different jails.

Now, for the sysctl values, here they come

##### From host itself

security.jail.param.sysvshm.: 0
security.jail.param.sysvsem.: 0
security.jail.param.sysvmsg.: 0
security.jail.param.allow.mount.zfs: 0
security.jail.param.allow.mount.tmpfs: 0
security.jail.param.allow.mount.linsysfs: 0
security.jail.param.allow.mount.linprocfs: 0
security.jail.param.allow.mount.procfs: 0
security.jail.param.allow.mount.nullfs: 0
security.jail.param.allow.mount.fdescfs: 0
security.jail.param.allow.mount.devfs: 0
security.jail.param.allow.mount.: 0
security.jail.param.allow.socket_af: 0
security.jail.param.allow.quotas: 0
security.jail.param.allow.chflags: 0
security.jail.param.allow.raw_sockets: 0
security.jail.param.allow.sysvipc: 0
security.jail.param.allow.set_hostname: 0
security.jail.param.ip6.saddrsel: 0
security.jail.param.ip6.: 0
security.jail.param.ip4.saddrsel: 0
security.jail.param.ip4.: 0
security.jail.param.cpuset.id: 0
security.jail.param.host.hostid: 0
security.jail.param.host.hostuuid: 64
security.jail.param.host.domainname: 256
security.jail.param.host.hostname: 256
security.jail.param.host.: 0
security.jail.param.children.max: 0
security.jail.param.children.cur: 0
security.jail.param.dying: 0
security.jail.param.vnet: 0
security.jail.param.persist: 0
security.jail.param.devfs_ruleset: 0
security.jail.param.enforce_statfs: 0
security.jail.param.osrelease: 32
security.jail.param.osreldate: 0
security.jail.param.securelevel: 0
security.jail.param.path: 1024
security.jail.param.name: 256
security.jail.param.parent: 0
security.jail.param.jid: 0
security.jail.devfs_ruleset: 0
security.jail.enforce_statfs: 1
security.jail.mount_zfs_allowed: 1
security.jail.mount_tmpfs_allowed: 0
security.jail.mount_linsysfs_allowed: 0
security.jail.mount_linprocfs_allowed: 0
security.jail.mount_procfs_allowed: 0
security.jail.mount_nullfs_allowed: 0
security.jail.mount_fdescfs_allowed: 0
security.jail.mount_devfs_allowed: 0
security.jail.mount_allowed: 1
security.jail.chflags_allowed: 0
security.jail.allow_raw_sockets: 0
security.jail.sysvipc_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 1
security.jail.jail_max_af_ips: 255
security.jail.vnet: 0
security.jail.jailed: 0



#### and from inside the jail
root at testJail:/ # sysctl security.jail

security.jail.param.sysvshm.: 0
security.jail.param.sysvsem.: 0
security.jail.param.sysvmsg.: 0
security.jail.param.allow.mount.zfs: 0
security.jail.param.allow.mount.tmpfs: 0
security.jail.param.allow.mount.linsysfs: 0
security.jail.param.allow.mount.linprocfs: 0
security.jail.param.allow.mount.procfs: 0
security.jail.param.allow.mount.nullfs: 0
security.jail.param.allow.mount.fdescfs: 0
security.jail.param.allow.mount.devfs: 0
security.jail.param.allow.mount.: 0
security.jail.param.allow.socket_af: 0
security.jail.param.allow.quotas: 0
security.jail.param.allow.chflags: 0
security.jail.param.allow.raw_sockets: 0
security.jail.param.allow.sysvipc: 0
security.jail.param.allow.set_hostname: 0
security.jail.param.ip6.saddrsel: 0
security.jail.param.ip6.: 0
security.jail.param.ip4.saddrsel: 0
security.jail.param.ip4.: 0
security.jail.param.cpuset.id: 0
security.jail.param.host.hostid: 0
security.jail.param.host.hostuuid: 64
security.jail.param.host.domainname: 256
security.jail.param.host.hostname: 256
security.jail.param.host.: 0
security.jail.param.children.max: 0
security.jail.param.children.cur: 0
security.jail.param.dying: 0
security.jail.param.vnet: 0
security.jail.param.persist: 0
security.jail.param.devfs_ruleset: 0
security.jail.param.enforce_statfs: 0
security.jail.param.osrelease: 32
security.jail.param.osreldate: 0
security.jail.param.securelevel: 0
security.jail.param.path: 1024
security.jail.param.name: 256
security.jail.param.parent: 0
security.jail.param.jid: 0
security.jail.devfs_ruleset: 4
security.jail.enforce_statfs: 1
security.jail.mount_zfs_allowed: 1
security.jail.mount_tmpfs_allowed: 0
security.jail.mount_linsysfs_allowed: 0
security.jail.mount_linprocfs_allowed: 0
security.jail.mount_procfs_allowed: 1
security.jail.mount_nullfs_allowed: 0
security.jail.mount_fdescfs_allowed: 0
security.jail.mount_devfs_allowed: 1
security.jail.mount_allowed: 1
security.jail.chflags_allowed: 0
security.jail.allow_raw_sockets: 1
security.jail.sysvipc_allowed: 1
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 0
security.jail.jail_max_af_ips: 255
security.jail.vnet: 1
security.jail.jailed: 1
root at testJail:/ # exit

More information about the freebsd-jail mailing list