Re: Marking some FS as jailable
On 02/14/13 06:27, Baptiste Daroussin wrote:
On Tue, Feb 12, 2013 at 10:06:29PM -0700, Jamie Gritton wrote:
On 02/12/13 12:40, Baptiste Daroussin wrote:
I would like to mark some filesystem as jailable, here is the one I need:
linprocfs, tmpfs and fdescfs, I was planning to do it with adding a
allow.mount.${fs} for each one.
Anyone has an objection?
Would it make sense for linprocfs to use the existing allow.mount.procfs
flag?
Here is a patch that uses allow.mount.procfs for linsysfs and linprocfs.
It also addd a new allow.mount.tmpfs to allow tmpfs.
It seems to work here, can anyone confirm this is the right way to do it?
I'll commit in 2 parts: first lin*fs, second tmpfs related things
http://people.freebsd.org/~bapt/jail-fs.diff
There are some problems. The usage on the mount side of things looks
correct, but it needs more on the jail side. I'm including a patch just
of that part, with a correction in jail.h and further changes in kern_jail.c
- Jamie
Index: sys/jail.h
===
--- sys/jail.h (revision 246791)
+++ sys/jail.h (working copy)
@@ -227,7 +227,8 @@
#definePR_ALLOW_MOUNT_NULLFS 0x0100
#definePR_ALLOW_MOUNT_ZFS 0x0200
#definePR_ALLOW_MOUNT_PROCFS 0x0400
-#definePR_ALLOW_ALL0x07ff
+#definePR_ALLOW_MOUNT_TMPFS0x0800
+#definePR_ALLOW_ALL0x0fff
/*
* OSD methods
Index: kern/kern_jail.c
===
--- kern/kern_jail.c(revision 246791)
+++ kern/kern_jail.c(working copy)
@@ -206,6 +206,7 @@
"allow.mount.nullfs",
"allow.mount.zfs",
"allow.mount.procfs",
+ "allow.mount.tmpfs",
};
const size_t pr_allow_names_size = sizeof(pr_allow_names);
@@ -221,6 +222,7 @@
"allow.mount.nonullfs",
"allow.mount.nozfs",
"allow.mount.noprocfs",
+ "allow.mount.notmpfs",
};
const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
@@ -4208,6 +4210,10 @@
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_MOUNT_PROCFS, sysctl_jail_default_allow, "I",
"Processes in jail can mount the procfs file system");
+SYSCTL_PROC(_security_jail, OID_AUTO, mount_tmpfs_allowed,
+CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
+NULL, PR_ALLOW_MOUNT_TMPFS, sysctl_jail_default_allow, "I",
+"Processes in jail can mount the tmpfs file system");
SYSCTL_PROC(_security_jail, OID_AUTO, mount_zfs_allowed,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I",
@@ -4360,6 +4366,8 @@
"B", "Jail may mount the nullfs file system");
SYSCTL_JAIL_PARAM(_allow_mount, procfs, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount the procfs file system");
+SYSCTL_JAIL_PARAM(_allow_mount, tmpfs, CTLTYPE_INT | CTLFLAG_RW,
+"B", "Jail may mount the tmpfs file system");
SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount the zfs file system");
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Marking some FS as jailable
On Thu, Feb 14, 2013 at 07:40:58AM -0700, Jamie Gritton wrote:
> On 02/14/13 06:27, Baptiste Daroussin wrote:
> > On Tue, Feb 12, 2013 at 10:06:29PM -0700, Jamie Gritton wrote:
> >> On 02/12/13 12:40, Baptiste Daroussin wrote:
> >>>
> >>> I would like to mark some filesystem as jailable, here is the one I need:
> >>> linprocfs, tmpfs and fdescfs, I was planning to do it with adding a
> >>> allow.mount.${fs} for each one.
> >>>
> >>> Anyone has an objection?
> >>
> >> Would it make sense for linprocfs to use the existing allow.mount.procfs
> >> flag?
> >
> > Here is a patch that uses allow.mount.procfs for linsysfs and linprocfs.
> >
> > It also addd a new allow.mount.tmpfs to allow tmpfs.
> >
> > It seems to work here, can anyone confirm this is the right way to do it?
> >
> > I'll commit in 2 parts: first lin*fs, second tmpfs related things
> >
> > http://people.freebsd.org/~bapt/jail-fs.diff
>
> There are some problems. The usage on the mount side of things looks
> correct, but it needs more on the jail side. I'm including a patch just
> of that part, with a correction in jail.h and further changes in kern_jail.c
>
> - Jamie
Thank you the patch has been updated with your fixes.
regards
Bapt
pgpSrlzl10ZkF.pgp
Description: PGP signature
Re: Marking some FS as jailable
On 02/14/13 07:56, Baptiste Daroussin wrote:
On Thu, Feb 14, 2013 at 07:40:58AM -0700, Jamie Gritton wrote:
On 02/14/13 06:27, Baptiste Daroussin wrote:
On Tue, Feb 12, 2013 at 10:06:29PM -0700, Jamie Gritton wrote:
On 02/12/13 12:40, Baptiste Daroussin wrote:
I would like to mark some filesystem as jailable, here is the one I need:
linprocfs, tmpfs and fdescfs, I was planning to do it with adding a
allow.mount.${fs} for each one.
Anyone has an objection?
Would it make sense for linprocfs to use the existing allow.mount.procfs
flag?
Here is a patch that uses allow.mount.procfs for linsysfs and linprocfs.
It also addd a new allow.mount.tmpfs to allow tmpfs.
It seems to work here, can anyone confirm this is the right way to do it?
I'll commit in 2 parts: first lin*fs, second tmpfs related things
http://people.freebsd.org/~bapt/jail-fs.diff
There are some problems. The usage on the mount side of things looks
correct, but it needs more on the jail side. I'm including a patch just
of that part, with a correction in jail.h and further changes in kern_jail.c
Thank you the patch has been updated with your fixes.
One more bit (literally): PR_ALLOW_ALL in sys/jail.h needs updating.
- Jamie
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Marking some FS as jailable
On Thu, Feb 14, 2013 at 07:58:52AM -0700, Jamie Gritton wrote:
> On 02/14/13 07:56, Baptiste Daroussin wrote:
> > On Thu, Feb 14, 2013 at 07:40:58AM -0700, Jamie Gritton wrote:
> >> On 02/14/13 06:27, Baptiste Daroussin wrote:
> >>> On Tue, Feb 12, 2013 at 10:06:29PM -0700, Jamie Gritton wrote:
> On 02/12/13 12:40, Baptiste Daroussin wrote:
> >
> > I would like to mark some filesystem as jailable, here is the one I
> > need:
> > linprocfs, tmpfs and fdescfs, I was planning to do it with adding a
> > allow.mount.${fs} for each one.
> >
> > Anyone has an objection?
>
> Would it make sense for linprocfs to use the existing allow.mount.procfs
> flag?
> >>>
> >>> Here is a patch that uses allow.mount.procfs for linsysfs and linprocfs.
> >>>
> >>> It also addd a new allow.mount.tmpfs to allow tmpfs.
> >>>
> >>> It seems to work here, can anyone confirm this is the right way to do it?
> >>>
> >>> I'll commit in 2 parts: first lin*fs, second tmpfs related things
> >>>
> >>> http://people.freebsd.org/~bapt/jail-fs.diff
> >>
> >> There are some problems. The usage on the mount side of things looks
> >> correct, but it needs more on the jail side. I'm including a patch just
> >> of that part, with a correction in jail.h and further changes in
> >> kern_jail.c
> >
> > Thank you the patch has been updated with your fixes.
>
> One more bit (literally): PR_ALLOW_ALL in sys/jail.h needs updating.
>
> - Jamie
Fixed thanks
Bapt
pgpvr3r728DU8.pgp
Description: PGP signature
bsnmp-jails broken ?
I wanted to add monitoring of traffic to individual jails, but this module does not seem to work for me. The module seems to work for some OIDs, but not for traffic stats. This is on RELENG_9. Does anyone have this working ? eg % snmpwalk -v2c -c thehost.sentex.ca .1.3.6.1.4.1.12325.1. SNMPv2-SMI::enterprises.12325.1..1.0 = INTEGER: 2 SNMPv2-SMI::enterprises.12325.1..2.1.0.1 = INTEGER: 1 SNMPv2-SMI::enterprises.12325.1..2.1.0.2 = INTEGER: 2 SNMPv2-SMI::enterprises.12325.1..2.1.1.1 = STRING: "j1.com" SNMPv2-SMI::enterprises.12325.1..2.1.1.2 = STRING: "6j2.sentex.ca" SNMPv2-SMI::enterprises.12325.1..2.1.10.1 = Counter64: 0 SNMPv2-SMI::enterprises.12325.1..2.1.10.2 = Counter64: 0 SNMPv2-SMI::enterprises.12325.1..2.1.11.1 = Counter64: 0 SNMPv2-SMI::enterprises.12325.1..2.1.11.2 = Counter64: 0 SNMPv2-SMI::enterprises.12325.1..2.1.12.1 = Counter64: 0 SNMPv2-SMI::enterprises.12325.1..2.1.12.2 = Counter64: 0 SNMPv2-SMI::enterprises.12325.1..2.1.13.1 = Counter64: 0 SNMPv2-SMI::enterprises.12325.1..2.1.13.2 = Counter64: 0 SNMPv2-SMI::enterprises.12325.1..2.1.20.1 = INTEGER: 60 SNMPv2-SMI::enterprises.12325.1..2.1.20.2 = INTEGER: 25 SNMPv2-SMI::enterprises.12325.1..2.1.21.1 = INTEGER: 69 SNMPv2-SMI::enterprises.12325.1..2.1.21.2 = INTEGER: 144 SNMPv2-SMI::enterprises.12325.1..2.1.25.1 = Timeticks: (3067079) 8:31:10.79 SNMPv2-SMI::enterprises.12325.1..2.1.25.2 = Timeticks: (8626) 0:01:26.26 SNMPv2-SMI::enterprises.12325.1..2.1.30.1 = Counter64: 6535995904 SNMPv2-SMI::enterprises.12325.1..2.1.30.2 = Counter64: 2159424000 SNMPv2-SMI::enterprises.12325.1..2.1.31.1 = Counter64: 159831 SNMPv2-SMI::enterprises.12325.1..2.1.31.2 = Counter64: 246899 SNMPv2-SMI::enterprises.12325.1..100.0 = STRING: "not net xx.yy.zz.16/28" SNMPv2-SMI::enterprises.12325.1..101.0 = Timeticks: (300) 0:00:03.00 SNMPv2-SMI::enterprises.12325.1..102.0 = Timeticks: (3600) 0:00:36.00 -- --- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
