git: jail - Rework sysctl configuration variables
Antonio Huete Jimenez
tuxillo at crater.dragonflybsd.org
Wed Aug 28 03:42:46 PDT 2019
commit 7104f312191ea81da6faa5e08691fbbdd2cf25a3
Author: Antonio Huete Jimenez <tuxillo at quantumachine.net>
Date: Wed Aug 21 02:35:42 2019 +0200
jail - Rework sysctl configuration variables
- Jail sysctls are now jail-specific so that different jails
can have different settings.
Each jail will have its own subtree which can be operated
directly with sysctl(8).
Naming convention:
jail.<n>.<setting>
- All previous sysctls are now moved to 'jail.defaults' and they
are used as a template for any newly created jail.
Example:
# jls
JID Hostname Path IPs
2 t02.local /jails/02 10.0.0.3
1 t01.local /jails/01 10.0.0.2
# sysctl jail
jail.jailed: 0
jail.list: 2 t02.local /jails/02 10.0.0.3
1 t01.local /jails/01 10.0.0.2
jail.defaults.allow_raw_sockets: 0
jail.defaults.chflags_allowed: 0
jail.defaults.sysvipc_allowed: 0
jail.defaults.socket_unixiproute_only: 1
jail.defaults.set_hostname_allowed: 1
jail.1.set_hostname_allowed: 1
jail.1.socket_unixiproute_only: 1
jail.1.sysvipc_allowed: 0
jail.1.chflags_allowed: 0
jail.1.allow_raw_sockets: 0
jail.2.set_hostname_allowed: 1
jail.2.socket_unixiproute_only: 1
jail.2.sysvipc_allowed: 0
jail.2.chflags_allowed: 0
jail.2.allow_raw_sockets: 0
# sysctl jail.2.allow_raw_sockets=1
jail.2.allow_raw_sockets: 0 -> 1
# jexec 2 ping -q -c 1 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
--- 10.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.766/0.766/0.766/0.000 ms
# jexec 1 ping -q -c 1 10.0.0.1
ping: socket: Operation not permitted
# service jail stop
Stopping jails: t01.local t02.local.
# sysctl jail
jail.jailed: 0
jail.defaults.allow_raw_sockets: 0
jail.defaults.chflags_allowed: 0
jail.defaults.sysvipc_allowed: 0
jail.defaults.socket_unixiproute_only: 1
jail.defaults.set_hostname_allowed: 1
Summary of changes:
sys/kern/kern_jail.c | 223 +++++++++++++++++++++++++++++++++++++++++++++----
sys/kern/kern_mib.c | 7 +-
sys/kern/sysv_msg.c | 12 ++-
sys/kern/sysv_sem.c | 9 +-
sys/kern/sysv_shm.c | 13 ++-
sys/kern/uipc_socket.c | 3 +-
sys/kern/vfs_helper.c | 2 +-
sys/sys/jail.h | 15 ++++
8 files changed, 255 insertions(+), 29 deletions(-)
http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/7104f312191ea81da6faa5e08691fbbdd2cf25a3
--
DragonFly BSD source repository
More information about the Commits
mailing list