[Bug 259770] ggate: jail(2) failure error: Unable to jail process in directory /var/empty after stable/12 src ca9ab8ea1774

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 259770] stable/12: jail(2) failures after ca9ab8ea1774"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 12 Nov 2021 14:16:24 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259770

--- Comment #5 from Fabian Keil <fk@fabiankeil.de> ---
Thanks a lot for your thoughts.

Actually only the forked connection handler(s) go to jail and change the uid:

[fk@elektrobier ps waux | grep [g]gated
root    13676  0.0  0.1   12232   2296  -  Ss   14:55      0:00.00 ggated -a
127.0.1.6
ggated  13743  0.0  0.1   17600   3068  -  SCJ  14:55      0:00.02 ggated -a
127.0.1.6
[fk@elektrobier ~]$ sudo procstat -f $(pgrep ggated)
  PID COMM                FD T V FLAGS    REF  OFFSET PRO NAME        
13743 ggated            text v r r-------   -       - -   /sbin/ggated      
13743 ggated             cwd v d r-------   -       - -   /var/empty        
13743 ggated            root v d r-------   -       - -   /var/empty        
13743 ggated            jail v d r-------   -       - -   /var/empty        
13743 ggated               0 v c rw------   6       0 -   /dev/null         
13743 ggated               1 v c rw------   6       0 -   /dev/null         
13743 ggated               2 v c rw------   6       0 -   /dev/null         
13743 ggated               3 v d r----n--   2       0 -   /var/run          
13743 ggated               4 s - rw------   2       0 UDD /var/run/logpriv
13743 ggated               5 v r -w---n-l   2       0 -   /var/run/ggated.pid
13743 ggated               6 s - rw------   3       0 TCP 0 0 127.0.1.6:3080
0.0.0.0:0
13743 ggated               7 s - rw------   1       0 TCP 0 0 127.0.1.6:3080
127.0.1.6:37026
13743 ggated               8 v c rw------   1       0 -  
/dev/zvol/dpool/ggated/t520.eli
13743 ggated               9 s - rw------   2       0 TCP 0 0 127.0.1.6:3080
127.0.1.6:40360
13676 ggated            text v r r-------   -       - -   /sbin/ggated      
13676 ggated             cwd v d r-------   -       - -   /                 
13676 ggated            root v d r-------   -       - -   /                 
13676 ggated               0 v c rw------   6       0 -   /dev/null         
13676 ggated               1 v c rw------   6       0 -   /dev/null         
13676 ggated               2 v c rw------   6       0 -   /dev/null         
13676 ggated               3 v d r----n--   2       0 -   /var/run          
13676 ggated               4 s - rw------   2       0 UDD /var/run/logpriv
13676 ggated               5 v r -w---n-l   2       0 -   /var/run/ggated.pid
13676 ggated               6 s - rw------   3       0 TCP 0 0 127.0.1.6:3080
0.0.0.0:0
13676 ggated               7 ? - --------   2       0 -   -                 

I wrote the code years ago and did not remember this.

Looking at the procstat output more closely I realize that
there is no reason why the forked process has to keep the pid
file open at all. It contains the pid of the parent and the
forked process does not actually have to unlink it either.

Without the pid file open, jail(2) should succeed.

The forked process probably does not need access to fd 6 either. Oops ....

While I still think it could be useful to be able to jail
a process with a pid file located outside of the jail I guess
it's not required in this case and I should simply fix/improve
my code.

I'll look into this over the next couple of days and get back to you.

-- 
You are receiving this mail because:
You are the assignee for the bug.