vnet jails and rc-scripts

Jamie Gritton jamie at FreeBSD.org
Wed Feb 27 13:36:38 UTC 2013 

On 02/27/13 01:30, Andreas Nilsson wrote:
> On Wed, Feb 27, 2013 at 5:44 AM, Jamie Gritton <jamie at freebsd.org
> <mailto:jamie at freebsd.org>> wrote:
>
>     On 02/26/13 01:56, Andreas Nilsson wrote:
>
>         However I still don't get the purpose of the
>         security.jail.param.*. Are the
>         to be set in loader.conf/sysctl.conf to influence default config
>         of jails,
>         or are the supposed to be per-jail ( from inside jail ) carriers
>         of config?
>         The PR seems to indicate it's not really clear.
>
>         Also, man jail says:
>         "The current set of available parameters can be
>                retrieved via ``sysctl -d security.jail.param''.  Any
>         parameters not
>         set
>                will be given default values, often based on the current
>         environment.
>                The core parameters are:
>         "
>         and then lists some. For example jid. I take that to mean that
>         the value
>            of security.jail.param.jid from inside jail should return the
>         jid of the
>         jail. I just get 0. And security.jail.param.path is 1024, which
>         is not at
>         all the path of the jail... There seems to be quite a
>         discrepancy between
>         manpage and implementation.
>
>
>     The bit that the man page says is in fact the entire (user-visible) user
>     for those sysctls: they're just there to show what parameters are
>     available, and what types they are. Actually, they also show jail(8) the
>     same thing, and that's how it knows what parameters exist.
>
>
> Ok. I'm feeling a bit daft here, from within a jail do they say "these
> parameters can be set" or "those parameters have been set"?

It's still a matter of "these parameters can be set." Well, if your jail
has been granted permission to create sub-jails. They're read-only
values (or more properly, read-only non-values), so they appear the same
regardless of environment.

>     But the parameters don't actually have any useful values. Only their
>     types, sizes and descriptions are valid.
>
> Ok, somewhat disappointing ;) Is there a ongoing effort to teach rc and
> friends about difference between jails and vnet jails? Or is it deemed a
> security problem that a jail knows the "circumstances of its conception"?

It hasn't really been a problem until vnet jails came along. No, there's
been no effort I know of to teach jails their particulars, but then
neither has there been any particular effort to hide them.

- Jamie

More information about the freebsd-jail mailing list