UNIX domain sockets on nullfs still broken?

Alexander Leidinger Alexander at Leidinger.net
Tue Dec 1 08:33:12 UTC 2009 

Quoting Ivan Voras <ivoras at freebsd.org> (from Mon, 30 Nov 2009  
16:14:40 +0100):

> xorquewasp at googlemail.com wrote:
>> On 2009-11-30 15:43:01, Ivan Voras wrote:
>>> xorquewasp at googlemail.com wrote:
>>>> 76030 initial thread STRU  struct sockaddr { AF_LOCAL,  
>>>> /tmp/jack-11001/default/jack_0 }
>>>> 76030 initial thread NAMI  "/tmp/jack-11001/default/jack_0"
>>>> 76030 initial thread RET   connect -1 errno 61 Connection refused
>>> I would expect to see this result from the jail since it's  
>>> obviously a Bad Idea, but does it work from the same (host) machine

It is not a bad idea, at least not if we talk about mounting something  
from JailA to JailB. Think about the MySQL socket. I have a jail with  
MySQL, and I have a jail which wants to connect to it. I do not want  
to allow network connections between those jails (be it for  
performance reasons, or that I do not want to involve a network  
connection, or that I do not want to give the MySQL jail an IP at all  
or whatever).

Solution: give access to the socket via the FS. Ideally by putting the  
socket in its own directory and mounting this directory over to the  
jail. A workaround for this scenario is below.

>>> without the jail in between (i.e. just the nullfs, no jails)?
>>
>> Hm, yes, you're right. It does work without a jail involved.
>>
>> What's the sane solution, then, when the only method of communication
>> is unix domain sockets?
>
> It is a security problem. I think the long-term solution would be to

It is a risk-management problem, and as such not the responsability of  
FreeBSD to enforce it. If the sysadmin wants to shoot in his foot, it  
is his decision.

> add a sysctl analogous to security.jail.param.securelevel to handle this.

Do you know the code which is responsible for the reject of access to  
the socket? If yes I can provide a patch regarding jail.param.something.

> I don't think there is a workaround right now.

My workaround with MySQL is to have the jail and the socket in the  
same FS (I would prefer to have them on separate FS). Then you can do  
a hardlink of the socket into the jail (obviously after each restart  
of the software, but this can be scripted). This works for me.

Bye,
Alexander.

-- 
You are capable of planning your future.

http://www.Leidinger.net    Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org       netchild @ FreeBSD.org  : PGP ID = 72077137

More information about the freebsd-hackers mailing list