[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ezjail] per jail security parameters



According to kaltheat:
> That's what I did. I rechecked it once again by resetting and doing step-by-step
> what you did. No success. security.jail.allow_raw_sockets in jail stays 0 here.

Weird.

I've put it in my ezjail/* files and it works:

1050 [9:58] root@centre:~# grep raw_socket /usr/local/etc/ezjail/shell_keltia_net
export jail_mail_keltia_net_parameters="allow.raw_sockets=1"

root@shell:/home/staff # sysctl -a | grep raw_socket
security.jail.allow_raw_sockets: 1
security.jail.param.allow.raw_sockets: 0

root@shell:/home/staff # ping -c 1 freefall.freebsd.org
PING freefall.freebsd.org (8.8.178.135): 56 data bytes
64 bytes from 8.8.178.135: icmp_seq=0 ttl=52 time=159.594 ms

Interesting "param" prefix for all parameters BTW, did not see these ones before.  What are they used for?

> In rc.conf I only have ezjail_enable="YES" and ifconfig alias definition for that jail.
> I'm using ezjail with ZFS and anything else is default (no special devfs rules,
> no /etc/jails.conf, ...). I tried on a machine with em-Interfaces and on another
> with igb. No difference.

Here is my PREFIX/etc/ezjail/shell_keltia_net file:
-----
export jail_shell_keltia_net_hostname="shell.keltia.net"
export jail_shell_keltia_net_ip="lo0|127.0.1.5"
export jail_shell_keltia_net_rootdir="/jails/shell.keltia.net"
export jail_shell_keltia_net_exec_start="/bin/sh /etc/rc"
export jail_shell_keltia_net_exec_stop=""
export jail_shell_keltia_net_mount_enable="YES"
export jail_shell_keltia_net_devfs_enable="YES"
export jail_shell_keltia_net_devfs_ruleset="devfsrules_jail"
export jail_shell_keltia_net_procfs_enable="YES"
export jail_shell_keltia_net_fdescfs_enable="YES"
export jail_shell_keltia_net_image=""
export jail_shell_keltia_net_imagetype="zfs"
export jail_shell_keltia_net_attachparams=""
export jail_shell_keltia_net_attachblocking=""
export jail_shell_keltia_net_forceblocking=""
export jail_shell_keltia_net_zfs_datasets=""
export jail_shell_keltia_net_cpuset=""
export jail_shell_keltia_net_fib=""
export jail_shell_keltia_net_parentzfs="tank/jails"
export jail_mail_keltia_net_parameters="allow.raw_sockets=1"
export jail_shell_keltia_net_post_start_script=""
-----

-- 
Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto AT keltia DOT net
In memoriam to Ondine, our 2nd child: http://ondine.keltia.net/