git: jail - Rework sysctl configuration variables

Antonio Huete Jimenez tuxillo at crater.dragonflybsd.org
Wed Aug 28 03:42:46 PDT 2019


commit 7104f312191ea81da6faa5e08691fbbdd2cf25a3
Author: Antonio Huete Jimenez <tuxillo at quantumachine.net>
Date:   Wed Aug 21 02:35:42 2019 +0200

    jail - Rework sysctl configuration variables
    
    - Jail sysctls are now jail-specific so that different jails
      can have different settings.
      Each jail will have its own subtree which can be operated
      directly with sysctl(8).
    
      Naming convention:
    
          jail.<n>.<setting>
    
    - All previous sysctls are now moved to 'jail.defaults' and they
      are used as a template for any newly created jail.
    
      Example:
    
      # jls
      JID     Hostname        Path            IPs
      2       t02.local       /jails/02       10.0.0.3
      1       t01.local       /jails/01       10.0.0.2
    
      # sysctl jail
      jail.jailed: 0
      jail.list: 2 t02.local /jails/02 10.0.0.3
      1 t01.local /jails/01 10.0.0.2
      jail.defaults.allow_raw_sockets: 0
      jail.defaults.chflags_allowed: 0
      jail.defaults.sysvipc_allowed: 0
      jail.defaults.socket_unixiproute_only: 1
      jail.defaults.set_hostname_allowed: 1
      jail.1.set_hostname_allowed: 1
      jail.1.socket_unixiproute_only: 1
      jail.1.sysvipc_allowed: 0
      jail.1.chflags_allowed: 0
      jail.1.allow_raw_sockets: 0
      jail.2.set_hostname_allowed: 1
      jail.2.socket_unixiproute_only: 1
      jail.2.sysvipc_allowed: 0
      jail.2.chflags_allowed: 0
      jail.2.allow_raw_sockets: 0
    
      # sysctl jail.2.allow_raw_sockets=1
      jail.2.allow_raw_sockets: 0 -> 1
    
      # jexec 2 ping -q -c 1 10.0.0.1
      PING 10.0.0.1 (10.0.0.1): 56 data bytes
    
      --- 10.0.0.1 ping statistics ---
      1 packets transmitted, 1 packets received, 0.0% packet loss
      round-trip min/avg/max/stddev = 0.766/0.766/0.766/0.000 ms
    
      # jexec 1 ping -q -c 1 10.0.0.1
      ping: socket: Operation not permitted
    
      # service jail stop
      Stopping jails: t01.local t02.local.
    
      # sysctl jail
      jail.jailed: 0
      jail.defaults.allow_raw_sockets: 0
      jail.defaults.chflags_allowed: 0
      jail.defaults.sysvipc_allowed: 0
      jail.defaults.socket_unixiproute_only: 1
      jail.defaults.set_hostname_allowed: 1

Summary of changes:
 sys/kern/kern_jail.c   | 223 +++++++++++++++++++++++++++++++++++++++++++++----
 sys/kern/kern_mib.c    |   7 +-
 sys/kern/sysv_msg.c    |  12 ++-
 sys/kern/sysv_sem.c    |   9 +-
 sys/kern/sysv_shm.c    |  13 ++-
 sys/kern/uipc_socket.c |   3 +-
 sys/kern/vfs_helper.c  |   2 +-
 sys/sys/jail.h         |  15 ++++
 8 files changed, 255 insertions(+), 29 deletions(-)

http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/7104f312191ea81da6faa5e08691fbbdd2cf25a3


-- 
DragonFly BSD source repository



More information about the Commits mailing list