Re: git: 6452fb1e87ed - main - protect.1: Document that protect(1) does not work in jails

12.07.2022 5:49, Mateusz Piotrowski wrote:

> The branch main has been updated by 0mp (doc, ports committer):
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=6452fb1e87ed9d00b52fa1e63e7c3a7516c9586c
> 
> commit 6452fb1e87ed9d00b52fa1e63e7c3a7516c9586c
> Author:     Mateusz Piotrowski <0mp@FreeBSD.org>
> AuthorDate: 2022-07-11 22:43:27 +0000
> Commit:     Mateusz Piotrowski <0mp@FreeBSD.org>
> CommitDate: 2022-07-11 22:47:58 +0000
> 
>     protect.1: Document that protect(1) does not work in jails
>     
>     The reason is that in order to protect a process procctl(2) needs
>     the PRIV_VM_MADV_PROTECT privilege, which is currently denied in jails
>     (see kern_jail.c).
>     
>     MFC after:      1 week
> ---
>  usr.bin/protect/protect.1 | 20 +++++++++++++++++++-
>  1 file changed, 19 insertions(+), 1 deletion(-)
> 
> diff --git a/usr.bin/protect/protect.1 b/usr.bin/protect/protect.1
> index 87a8169b1885..f67a8d9b59ea 100644
> --- a/usr.bin/protect/protect.1
> +++ b/usr.bin/protect/protect.1
> @@ -25,7 +25,7 @@
>  .\"
>  .\" $FreeBSD$
>  .\"
> -.Dd July 7, 2022
> +.Dd July 12, 2022
>  .Dt PROTECT 1
>  .Os
>  .Sh NAME
> @@ -112,6 +112,24 @@ bit is set to 1.
>  All children of this process will also be protected if
>  .Nm PI
>  bit is set to 1.
> +.Sh DIAGNOSTICS
> +.Bl -diag
> +.It "protect: procctl: Operation not permitted"
> +The
> +.Nm
> +command does not have the required permissions to protect selected processes.
> +There are many reasons why this could be the case, e.g.:
> +.Bl -dash
> +.It
> +.Nm
> +is not executed by root.
> +.It
> +.Nm
> +is executed inside a
> +.Xr jail 8 ,
> +which is not supported at the moment.
> +.El
> +.El
>  .Sh SEE ALSO
>  .Xr ps 1 ,
>  .Xr procctl 2 ,
> 
> 

Does it mean that syslogd_oomprotect="YES" in /etc/defaults/rc.conf is inappropriate for full-blown jail
and results in failure of syslogd startup in such jail with defaults?