[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ezjail] per jail security parameters



---- On Tue, 30 Jul 2013 17:12:34 +0200 Glen Barber  wrote ---- 

>On Tue, Jul 30, 2013 at 04:47:55PM +0200, kaltheat AT googlemail DOT com wrote: 
>> On Mon, Jul 29, 2013 at 09:17:50AM +0200, kaltheat wrote: 
>> > 
>> > Hi, 
>> > 
>> > I'm searching for something that is AFAIK not documented anywhere. 
>> > 
>> > I want to use per jail security parameters (introduced to FreeBSD 9.1 ?). 
>> > For example I want to allow raw sockets to a single jail and not to all 
>> > jails of a jail-host (which was the old way I think). From what I've seen 
>> > so far it should be possible if one uses base-systems jail-rc-script along 
>> > with jail.conf. But how can I use it with ezjail? 
>> > 
>> 
>> I tried to set the jail-parameter-variable in the jail-configuration-file 
>> under /usr/local/etc/ezjail. No success. 
>> 
> 
>I'd suggest showing your config file. 
> 
> root@bolt:~ # sysctl -n security.jail.allow_raw_sockets 
> 0 
> root@bolt:~ # ezjail-admin console -e 'ping -c1 www.freebsd.org' pkg0 
> ping: socket: Operation not permitted 
> root@bolt:~ # echo 'export jail_pkg0_parameters="allow.raw_sockets=1"'  
> >> /usr/local/etc/ezjail/pkg0 
> root@bolt:~ # ezjail-admin restart pkg0 >/dev/null 
> root@bolt:~ # ezjail-admin console -e 'sysctl -n security.jail.allow_raw_sockets' pkg0 
> 1 
> root@bolt:~ # ezjail-admin console -e 'ping -c1 www.freebsd.org' pkg0 
> PING wfe0.ysv.freebsd.org (8.8.178.110): 56 data bytes 
> 64 bytes from 8.8.178.110: icmp_seq=0 ttl=57 time=73.121 ms 
> 
> --- wfe0.ysv.freebsd.org ping statistics --- 
> 1 packets transmitted, 1 packets received, 0.0% packet loss 
> round-trip min/avg/max/stddev = 73.121/73.121/73.121/0.000 ms 
> 
>Glen 
> 

That's what I did. I rechecked it once again by resetting and doing step-by-step
what you did. No success. security.jail.allow_raw_sockets in jail stays 0 here.

In rc.conf I only have ezjail_enable="YES" and ifconfig alias definition for that jail.
I'm using ezjail with ZFS and anything else is default (no special devfs rules,
no /etc/jails.conf, ...). I tried on a machine with em-Interfaces and on another
with igb. No difference.

Anything special on your side?

Regards,
kaltheat