kern/118247: netstat/sockstat reporting incorrect information due
to MAC_PARTITION
Hugo Saro
hugo at barafranca.com
Sun Nov 25 11:40:00 PST 2007
>Number: 118247
>Category: kern
>Synopsis: netstat/sockstat reporting incorrect information due to MAC_PARTITION
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Nov 25 19:40:00 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator: Hugo Saro
>Release: FreeBSD 7.0-BETA3 amd64
>Organization:
>Environment:
FreeBSD samba.multiverse.local 7.0-BETA3 FreeBSD 7.0-BETA3 #0: Sun Nov 25 03:53:45 WET 2007 klr at zaurak.bsdlan.org:/usr/obj/usr/src/sys/ZAURAK amd64
>Description:
sockstat and netstat do not show the correct number of connections while security.mac.partition.enabled is set.
I am starting the jail with setpmac partition/XXX /etc/rc.d/jail start samba.
See below.
Should this happen ? I am very interested in further isolating jails with mac_partition, but not being able to netstat/sockstat from inside the jail (works fine from the host, as expected, however if done under setpmac, the following happens:
host# setpmac partition/9009 netstat -anfinet && echo -- && sockstat -4l
--
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 39843 3 tcp4 10.0.90.1:22 *:*
root smbd 39813 18 tcp4 10.0.90.1:445 *:*
root smbd 39813 19 tcp4 10.0.90.1:139 *:*
root nmbd 39809 6 udp4 10.0.90.1:137 *:*
root nmbd 39809 7 udp4 10.0.90.1:138 *:*
root nmbd 39809 8 udp4 10.0.90.1:137 *:*
root nmbd 39809 9 udp4 10.0.90.1:138 *:*
root sshd 1462 3 tcp4 192.168.0.110:22 *:*
host# netstat -anfinet && echo -- && sockstat -4l
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 10.0.90.1.139 192.168.0.1.55432 ESTABLISHED
tcp4 0 0 10.0.90.1.22 192.168.0.1.54898 ESTABLISHED
tcp4 0 0 10.0.90.1.139 *.* LISTEN
tcp4 0 0 10.0.90.1.445 *.* LISTEN
tcp4 0 0 10.0.90.1.22 *.* LISTEN
tcp4 0 0 192.168.0.110.22 *.* LISTEN
tcp4 0 48 192.168.0.110.22 192.168.0.1.52590 ESTABLISHED
udp4 0 0 10.0.90.1.138 *.*
udp4 0 0 10.0.90.1.137 *.*
udp4 0 0 10.0.90.1.138 *.*
udp4 0 0 10.0.90.1.137 *.*
--
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 39843 3 tcp4 10.0.90.1:22 *:*
root smbd 39813 18 tcp4 10.0.90.1:445 *:*
root smbd 39813 19 tcp4 10.0.90.1:139 *:*
root nmbd 39809 6 udp4 10.0.90.1:137 *:*
root nmbd 39809 7 udp4 10.0.90.1:138 *:*
root nmbd 39809 8 udp4 10.0.90.1:137 *:*
root nmbd 39809 9 udp4 10.0.90.1:138 *:*
root sshd 1462 3 tcp4 192.168.0.110:22 *:*
I might be missing something obvious, but MAC_PARTITION shouldn't affect the output of netstat/sockstat.
>How-To-Repeat:
host# sysctl security.mac.partition.enabled=0
security.mac.partition.enabled: 1 -> 0
jail# netstat -an -f inet
netstat: kvm not available: /dev/mem: No such file or directory
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 10.0.90.1.139 192.168.0.1.55432 ESTABLISHED
tcp4 0 160 10.0.90.1.22 192.168.0.1.54898 ESTABLISHED
tcp4 0 0 10.0.90.1.139 *.* LISTEN
tcp4 0 0 10.0.90.1.445 *.* LISTEN
tcp4 0 0 10.0.90.1.22 *.* LISTEN
udp4 0 0 10.0.90.1.138 *.*
udp4 0 0 10.0.90.1.137 *.*
udp4 0 0 10.0.90.1.138 *.*
udp4 0 0 10.0.90.1.137 *.*
host# /etc/rc.d/sysctl reload
security.mac.partition.enabled: 0 -> 1
jail# netstat -an -f inet
netstat: kvm not available: /dev/mem: No such file or directory
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list