mounting fdescfs in a nested/hierarchical jail?

Discussion:

(too old to reply)

Ruben van Staveren

2014-08-18 12:26:39 UTC

Hi list,

I have a FreeBSD 10 zfs based ezjail setup. In one of the jails I am using ezjail again to set up a nested jail. My goal is to eventually have my jails use these nested jails as containers for certain services.

However, I am not able to mount a nested fdescfs. When I leave out fdesc, the nested jail starts up just fine.

There is no allow.mount.fdescfs. Do we need one?

Cheers,
Ruben

***@test:~ % sudo ezjail-admin onestart nested1
Starting jails: cannot start jail "nested1":
mount: .: Operation not permitted
jail: nested1: /sbin/mount -t fdescfs . /opt/jails/nested1/dev/fd: failed
.
/etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables is obsolete. Please consider to migrate to /etc/jail.conf.
Error: Could not onestart nested1.
You need to onestart it by hand.

***@test:~ % sysctl -a | egrep jail\|mount | grep -v param
vfs.usermount: 0
vfs.ffs.compute_summary_at_mount: 0
debug.softdep.softdep_mounts: 0
security.jail.jailed: 1
security.jail.vnet: 0
security.jail.jail_max_af_ips: 255
security.jail.set_hostname_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.sysvipc_allowed: 0
security.jail.allow_raw_sockets: 0
security.jail.chflags_allowed: 0
security.jail.mount_allowed: 1
security.jail.mount_devfs_allowed: 1
security.jail.mount_nullfs_allowed: 1
security.jail.mount_procfs_allowed: 1
security.jail.mount_tmpfs_allowed: 0
security.jail.mount_zfs_allowed: 1
security.jail.enforce_statfs: 1
security.jail.devfs_ruleset: 4

***@test:~ % sudo /sbin/mount -vt devfs . /opt/jails/nested1/dev/
devfs on /opt/jails/nested1/dev (devfs)
***@test:~ % sudo /sbin/mount -vt fdescfs . /opt/jails/nested1/dev/fd/
mount: .: Operation not permitted
devfs on /opt/jails/nested1/dev (devfs)

James Gritton

2014-08-21 02:55:20 UTC

Permalink

Post by Ruben van Staveren
Hi list,
I have a FreeBSD 10 zfs based ezjail setup. In one of the jails I am using ezjail again to set up a nested jail. My goal is to eventually have my jails use these nested jails as containers for certain services.
However, I am not able to mount a nested fdescfs. When I leave out fdesc, the nested jail starts up just fine.
There is no allow.mount.fdescfs. Do we need one?
Cheers,
Ruben

That's probably the answer. It seems a little inelegant to have this
proliferation of pesudo-fs type allowances, but it's the direction we've
gone.

In the meantime, you could pre-mount the child jails' fdescfs when the
parent jails are created. That's pretty messy, especially considering
it means you have to first pre-mount their devfs as well. But it's
likely all the permissions will allow.

- Jamie

Ruben van Staveren

2014-08-21 18:05:28 UTC

Permalink

Hi Jamie, others,

That's probably the answer. It seems a little inelegant to have this proliferation of pesudo-fs type allowances, but it's the direction we've gone.

Ok, Ive written a little patch for that. Seems to work on r268794

http://pastebin.com/5t9zEzkV

I am not sure about the consequences of having this permission.

Best Regards,
Ruben

Ruben van Staveren

2014-08-28 20:38:49 UTC

Permalink

Post by Ruben van Staveren
Ok, Ive written a little patch for that. Seems to work on r268794

More complete patch filed as https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192951

Bash seems to be just happy about it (it requires fdescfs) and I see little harm to have the knob there. it is still off by default.

Ollivier Robert

2014-08-31 21:32:36 UTC

Permalink

Ok, I’ve written a little patch for that. Seems to work on r268794
http://pastebin.com/5t9zEzkV
I am not sure about the consequences of having this permission.

Please put that into a PR on bugs.freebsd.org so have a permament trace of it, thanks.

--
Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- ***@keltia.freenix.fr
In memoriam to Ondine : http://ondine.keltia.net/