jail vnet bug

Devin Teske devin.teske at fisglobal.com
Sat Aug 27 08:22:52 UTC 2011 

Hi all,

Not sure if this is a bug, but I'm using 8.1-RELEASE-p4 with VIMAGE enabled and am experiencing something odd.

I set sysctl security.jail.mount_allowed=1 and then fire up a jail, all is good (jail has value of 1).

I then set sysctl security.jail.enforce_statfs=1 and then restart the jail. Again, all is good (jail has value of 1).

I then fire up my vimage jails, and all is bad. Values still show 0 (mount_allowed) and 2 (enforce_statfs).

So I went into the kernel and forced their default values, which appeared to work, but only partly.

The following [undesirable] patch was enough to get enforce_statfs working:

--- sys/kern/kern_jail.c.orig   2011-08-26 23:41:27.000000000 -0700+++ sys/kern/kern_jail.c        2011-08-27 00:44:45.000000000 -0700
@@ -202,7 +202,7 @@
 #define        JAIL_DEFAULT_ALLOW              PR_ALLOW_SET_HOSTNAME
-#define        JAIL_DEFAULT_ENFORCE_STATFS     2
+#define        JAIL_DEFAULT_ENFORCE_STATFS     1
 static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW;
 static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS;
 #if defined(INET) || defined(INET6)

However, the following [equally undesirable] patch was NOT enough to get mount(8) to work:

@@ -4113,4 +4114,4 @@
 SYSCTL_PROC(_security_jail, OID_AUTO, mount_allowed,
     CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
-    NULL, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I",
+    (void *)1, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I",
     "Processes in jail can mount/unmount jail-friendly file systems");

Here's what I'm getting for an error...

vnettest# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=3<RXCSUM,TXCSUM>
	inet 127.0.0.1 netmask 0xff000000 
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether XX:XX:XX:XX:XX:XX
	inet X.X.X.X netmask 0xffffff00 broadcast X.X.X.X
vnettest# sysctl security.jail.{jailed,mount_allowed,enforce_statfs}
security.jail.jailed: 1
security.jail.mount_allowed: 1
security.jail.enforce_statfs: 1
vnettest# mount build1:/repos /mnt
mount_nfs: /mnt, : Operation not permitted

Meanwhile, over in the jail (non-vnet):

vnettest# ifconfig -l
bge0 fxp0 plip0 ipfw0 lo0 epair0a bridge0
vnettest# sysctl security.jail.{jailed,mount_allowed,enforce_statfs}
security.jail.jailed: 1
security.jail.mount_allowed: 0
security.jail.enforce_statfs: 1
vnettest# mount build1:/repos /mnt
vnettest# df -Th
Filesystem     Type     Size    Used   Avail Capacity  Mounted on
/dev/ad4s1f    ufs      137G    4.1G    122G     3%    /
devfs          devfs    1.0K    1.0K      0B   100%    /dev
build1:/repos  nfs       99G     63G     29G    69%    /mnt
vnettest# umount /mnt
vnettest# df -Th
Filesystem   Type     Size    Used   Avail Capacity  Mounted on
/dev/ad4s1f  ufs      137G    4.1G    122G     3%    /
devfs        devfs    1.0K    1.0K      0B   100%    /dev

Any advice would be helpful. The core issue is that we've finally achieved NFS mounting within a jail (many thanks to Martin Matuska for his patch), but are not able to replicate our success in a vnet jail.
-- 
Devin

_____________

The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.
_____________

More information about the freebsd-questions mailing list