Hi all,
Not sure if this is a bug, but I'm using 8.1-RELEASE-p4 with VIMAGE enabled and
am experiencing something odd.
I set sysctl security.jail.mount_allowed=1 and then fire up a jail, all is good
(jail has value of 1).
I then set sysctl security.jail.enforce_statfs=1 and then restart the jail.
Again, all is good (jail has value of 1).
I then fire up my vimage jails, and all is bad. Values still show 0
(mount_allowed) and 2 (enforce_statfs).
So I went into the kernel and forced their default values, which appeared to
work, but only partly.
The following [undesirable] patch was enough to get enforce_statfs working:
--- sys/kern/kern_jail.c.orig 2011-08-26 23:41:27.000000000 -0700+++
sys/kern/kern_jail.c 2011-08-27 00:44:45.000000000 -0700
@@ -202,7 +202,7 @@
#define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME
-#define JAIL_DEFAULT_ENFORCE_STATFS 2
+#define JAIL_DEFAULT_ENFORCE_STATFS 1
static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW;
static int jail_default_enforce_statfs = JAIL_DEFAULT_ENFORCE_STATFS;
#if defined(INET) || defined(INET6)
However, the following [equally undesirable] patch was NOT enough to get
mount(8) to work:
@@ -4113,4 +4114,4 @@
SYSCTL_PROC(_security_jail, OID_AUTO, mount_allowed,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
- NULL, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I",
+ (void *)1, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I",
"Processes in jail can mount/unmount jail-friendly file systems");
Here's what I'm getting for an error...
vnettest# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet 127.0.0.1 netmask 0xff000000
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether XX:XX:XX:XX:XX:XX
inet X.X.X.X netmask 0xffffff00 broadcast X.X.X.X
vnettest# sysctl security.jail.{jailed,mount_allowed,enforce_statfs}
security.jail.jailed: 1
security.jail.mount_allowed: 1
security.jail.enforce_statfs: 1
vnettest# mount build1:/repos /mnt
mount_nfs: /mnt, : Operation not permitted
Meanwhile, over in the jail (non-vnet):
vnettest# ifconfig -l
bge0 fxp0 plip0 ipfw0 lo0 epair0a bridge0
vnettest# sysctl security.jail.{jailed,mount_allowed,enforce_statfs}
security.jail.jailed: 1
security.jail.mount_allowed: 0
security.jail.enforce_statfs: 1
vnettest# mount build1:/repos /mnt
vnettest# df -Th
Filesystem Type Size Used Avail Capacity Mounted on
/dev/ad4s1f ufs 137G 4.1G 122G 3% /
devfs devfs 1.0K 1.0K 0B 100% /dev
build1:/repos nfs 99G 63G 29G 69% /mnt
vnettest# umount /mnt
vnettest# df -Th
Filesystem Type Size Used Avail Capacity Mounted on
/dev/ad4s1f ufs 137G 4.1G 122G 3% /
devfs devfs 1.0K 1.0K 0B 100% /dev
Any advice would be helpful. The core issue is that we've finally achieved NFS
mounting within a jail (many thanks to Martin Matuska for his patch), but are
not able to replicate our success in a vnet jail.
--
Devin
_____________
The information contained in this message is proprietary and/or confidential.
If you are not the intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose, distribute or use the message in any manner; and
(iii) notify the sender immediately. In addition, please be aware that any
message addressed to our domain is subject to archiving and review by persons
other than the intended recipient. Thank you.
_____________
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
