On 2025-07-15 06:53, Bjoern A. Zeeb wrote:
On Tue, 15 Jul 2025, Doug Rabson wrote:
On Mon, 14 Jul 2025 at 16:54, James Gritton <[email protected]> wrote:
On 2025-07-14 03:53, Doug Rabson wrote:
I tried setting allow.socket_af for a jail which inherits the host
vnet
and this still has problems creating interfaces:
$ jid=$(sudo jail -i -c host.hostname=foo vnet=inherit
allow.socket_af
path=/ persist)
$ sudo jexec $jid
You have mail.
root@foo:/ # ifconfig bridge create
ifconfig: socket(family 2,SOCK_DGRAM): Protocol not supported
root@foo:/ # exit
exit
$ sudo jail -r $jid
I think I see the problem: address family 2 is AF_INET, which
check_prison_af will only disallow if IPv4 is disabled in that jail -
which
it is! add ip4=inherit to your child jail and see if that does the
trick.
A typical non-vnet jail has one or more IP address included in the
definition, but without that the default is ip4=disabled. Bjoern's
"all I
have is yours" is not in fact the overriding jail philosophy, but
rather
"you get only what you ask for."
Jamie is, of course, correct and setting ip4=inherit fixes
the EPROTONOSUPPORT, uncovering my original EPERM problem:
$ jid=$(sudo jail -i -c host.hostname=foo ip4=inherit allow.socket_af
path=/ persist)
$ sudo jexec $jid ifconfig bridge create
ifconfig: SIOCIFCREATE2 (bridge): Operation not permitted
And I assume that now is because vnet=inherit does not set PR_VNET and
prison_priv_check() now does not catch:
3912 /*
3913 * No default: or deny here.
3914 * In case of no permit fall through to next switch().
3915 */
3916 if (cred->cr_prison->pr_flags & PR_VNET)
3917 return (0);
and so you run into the default at the end. Wild guess.
I think we really need a flag if we want to allow "vnet=inherit" and
"give me power to mangle with my parent's vnet". *sigh*.
Jamie? Help?
This harks back to non-hierarchical jails, since the base system is just
a special kind of jail that has its own vnet. So we treat this like we
would treat other jails that want to do network things: carve out an
allow.* bit. So the question becomes: how big should the carve-out be?
Just PRIV_NET_IFCREATE? And then add to it other things that end up
being necessary - as separate allow bits or as part of of the same? Or
just a big "let the jail do all the network things" permission?
Or do we want to treats non-root vnets differently, and say "allow all
(or some/many) network things for sub-jails under vnets?
- Jamie
