Re: vnet jails and rc-scripts

Wed, 27 Feb 2013 05:36:46 -0800 

On 02/27/13 01:30, Andreas Nilsson wrote:

On Wed, Feb 27, 2013 at 5:44 AM, Jamie Gritton <ja...@freebsd.org
<mailto:ja...@freebsd.org>> wrote:

    On 02/26/13 01:56, Andreas Nilsson wrote:

        However I still don't get the purpose of the
        security.jail.param.*. Are the
        to be set in loader.conf/sysctl.conf to influence default config
        of jails,
        or are the supposed to be per-jail ( from inside jail ) carriers
        of config?
        The PR seems to indicate it's not really clear.

        Also, man jail says:
        "The current set of available parameters can be
               retrieved via ``sysctl -d security.jail.param''.  Any
        parameters not
        set
               will be given default values, often based on the current
        environment.
               The core parameters are:
        "
        and then lists some. For example jid. I take that to mean that
        the value
           of security.jail.param.jid from inside jail should return the
        jid of the
        jail. I just get 0. And security.jail.param.path is 1024, which
        is not at
        all the path of the jail... There seems to be quite a
        discrepancy between
        manpage and implementation.


    The bit that the man page says is in fact the entire (user-visible) user
    for those sysctls: they're just there to show what parameters are
    available, and what types they are. Actually, they also show jail(8) the
    same thing, and that's how it knows what parameters exist.


Ok. I'm feeling a bit daft here, from within a jail do they say "these
parameters can be set" or "those parameters have been set"?


It's still a matter of "these parameters can be set." Well, if your jail
has been granted permission to create sub-jails. They're read-only
values (or more properly, read-only non-values), so they appear the same
regardless of environment.


    But the parameters don't actually have any useful values. Only their
    types, sizes and descriptions are valid.

Ok, somewhat disappointing ;) Is there a ongoing effort to teach rc and
friends about difference between jails and vnet jails? Or is it deemed a
security problem that a jail knows the "circumstances of its conception"?


It hasn't really been a problem until vnet jails came along. No, there's
been no effort I know of to teach jails their particulars, but then
neither has there been any particular effort to hide them.

- Jamie
_______________________________________________
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Reply via email to