[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ezjail] per jail security parameters



On Tue, Jul 30, 2013 at 04:47:55PM +0200, kaltheat AT googlemail DOT com wrote:
> On Mon, Jul 29, 2013 at 09:17:50AM +0200, kaltheat wrote:
> > 
> > Hi,
> > 
> > I'm searching for something that is AFAIK not documented anywhere.
> > 
> > I want to use per jail security parameters (introduced to FreeBSD 9.1 ?).
> > For example I want to allow raw sockets to a single jail and not to all
> > jails of a jail-host (which was the old way I think). From what I've seen
> > so far it should be possible if one uses base-systems jail-rc-script along
> > with jail.conf. But how can I use it with ezjail?
> > 
> 
> I tried to set the jail-parameter-variable in the jail-configuration-file
> under /usr/local/etc/ezjail. No success.
> 

I'd suggest showing your config file.

 root@bolt:~ # sysctl -n security.jail.allow_raw_sockets
 0
 root@bolt:~ # ezjail-admin console -e 'ping -c1 www.freebsd.org' pkg0
 ping: socket: Operation not permitted
 root@bolt:~ # echo 'export jail_pkg0_parameters="allow.raw_sockets=1"' \
    >> /usr/local/etc/ezjail/pkg0
 root@bolt:~ # ezjail-admin restart pkg0 >/dev/null
 root@bolt:~ # ezjail-admin console -e 'sysctl -n security.jail.allow_raw_sockets' pkg0
 1
 root@bolt:~ # ezjail-admin console -e 'ping -c1 www.freebsd.org' pkg0
 PING wfe0.ysv.freebsd.org (8.8.178.110): 56 data bytes
 64 bytes from 8.8.178.110: icmp_seq=0 ttl=57 time=73.121 ms
 
 --- wfe0.ysv.freebsd.org ping statistics ---
 1 packets transmitted, 1 packets received, 0.0% packet loss
 round-trip min/avg/max/stddev = 73.121/73.121/73.121/0.000 ms

Glen

Attachment: pgpd2shTqShpm.pgp
Description: PGP signature