RE: [ezjail] Limiting SysV-IPC to certain jails

["Dewayne Geraghty" <dewayne.geraghty AT heuristicsystems.com DOT au>]

> -----Original Message-----
> From: Moritz Wilhelmy [mailto:moritz AT wzff DOT de] 
> Sent: Sunday, 17 June 2012 4:13 AM
> To: ezjail AT erdgeist DOT org
> Subject: [ezjail] Limiting SysV-IPC to certain jails
> 
> Hi,
> 
> I found no documentation on limiting SysV-IPC to a certain 
> (set of) jail(s), so I went ahead and came up with the following hack.
> 
> 1. Putting the following snippet into /etc/rc.conf:
> jail_sysvipc_allow="${jail_sysvipc_allow_override:-NO}"
> 
> 2. Adding the following snippet to 
> /usr/local/etc/ezjail/postgres_or_whatever
> export jail_sysvipc_allow_override="YES"
> 
> This solves the problem, but is still rather ugly. I don't 
> know, if nobody has done this before, it might be useful for 
> somebody, which is why I'm posting it to this list. I don't 
> want to allow SysV-IPC for all jails, because it allows one 
> jail to corrupt another one's memory (e.g.
> when two jails are running postgres under the same UID.)
> 
> Maybe somebody comes up with a better way to do this (or 
> fixes SysV-IPC in jailed environments, or, even better, can 
> tell me how to make postgres not use SysV-IPC in the first place).
> 
> 
> Best regards,
> 
> Moritz


I think this might be a cleaner and more general purpose solution.  I have
a jail b1 that builds the port system, and it needs sysvipc.  So append the
following line to /usr/local/etc/ezjail/b1

export jail_b1_parameters="allow.sysvipc allow.raw_sockets"

Then place the following into
/usr/ports/sysutils/ezjails/files/patch-Makefile-parameters
So it is applied during a port rebuild
--- /usr/local/etc/rc.d/ezjail.orig     2012-01-10 06:44:01.000000000 +1100
+++ ezjail.sh   2012-01-10 06:49:43.000000000 +1100
@@ -112,6 +112,7 @@

       eval ezjail_zfs_datasets=\"\$jail_${ezjail_safename}_zfs_datasets\"
       eval ezjail_cpuset=\"\$jail_${ezjail_safename}_cpuset\"
+      eval ezjail_parameters=\"\$jail_${ezjail_safename}_parameters\"

       # Attach ZFS-datasets to the jail
       for zfs in ${ezjail_zfs_datasets}; do
@@ -123,6 +124,18 @@
     done
   fi

+  if [ "${action%crypto}" = "start" -o "${action}" = "restart" ]; then
+     for ezjail in ${ezjail_list}; do
+       ezjail_safename=`echo -n "${ezjail}" | tr -c '[:alnum:]' _`
+       [ -f "/var/run/jail_${ezjail_safename}.id" ] && ezjail_id=`cat
/var/run/jail_${ezjail_safename}.id`
+       # Assign parameters to the newly created jail per man 8 jail
+       eval ezjail_parameters=\"\$jail_${ezjail_safename}_parameters\"
+       [ -z "${ezjail_parameters}" ] || /usr/sbin/jail -m jid=${ezjail_id}
${ezjail_parameters}
+       # This should be in /etc/rc.d/jail, but...
+       /usr/sbin/jail -m jid=${ezjail_id} name=${ezjail_safename}
+     done
+   fi
+
   # Can only detach after unmounting (from fstab.JAILNAME in
/etc/rc.d/jail)
   attach_detach_post
 }

From within the jail, these sysctls are set

security.jail.sysvipc_allowed: 1
security.jail.allow_raw_sockets: 1

(Though I must admit that I expected the following to be set
security.jail.param.allow.sysvipc 
security.jail.param.allow.raw_sockets)


I hope that this is of some use to you. Oh, the patch also enables me to
use
jexec b1 tcsh # because numbers are hard to remember

Regards, Dewayne
PS I'm not technical just a tenacious bastard, so there's probaby a better
solution :)