Jailing net/skype

Tobias Rehbein tobias.rehbein at web.de
Sat Sep 13 17:31:12 UTC 2008

Am Thu, Sep 11, 2008 at 07:47:21PM +0200 schrieb Tobias Rehbein:
> I have net/skype installed on my workstation and it just works fine. Now I
> wonder if it's possible to run skype in a jail.
> Before I start investing time in this I would like to know if someone has
> done it before or if it would be just a waste of time.

Hello all.

As nobody seems to have experience with this I decided to set up a simple jail
to test this. Unfortunately skype keeps dumping core when I'm trying to start
it. Perhaps someone has a hint for me how to deal with this.

I tried to set up a jail as unrestrictve as possible. My goal was to get whole
thing running and lock down the jail later.

	#uname -a
	FreeBSD sushi.pseudo.local 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #17: 
	Thu Sep 11 19:04:40 CEST 2008     
	tobi at sushi.pseudo.local:/usr/obj/usr/src/sys/SUSHI  i386

	#sysctl security.jail.
	security.jail.jailed: 1
	security.jail.mount_allowed: 0
	security.jail.chflags_allowed: 0
	security.jail.allow_raw_sockets: 1
	security.jail.enforce_statfs: 2
	security.jail.sysvipc_allowed: 1
	security.jail.socket_unixiproute_only: 0
	security.jail.set_hostname_allowed: 1

	#sysctl compat.linux
	compat.linux.oss_version: 198144
	compat.linux.osrelease: 2.6.16
	compat.linux.osname: Linux

	#pkg_info | grep linux_base
	linux_base-fc6-6_5  Base set of packages needed in Linux mode (for i386/amd64)
	#grep LINUX /etc/make.conf

devfs is mounted and I use the same ruleset as in the host system.

	#kdump -f ktrace.out | head
 	84180 skype    CALL  access(0x292b2b61,R_OK)
 	84180 skype    NAMI  "/compat/linux/etc/ld.so.preload"
 	84180 skype    NAMI  "/etc/ld.so.preload"
 	84180 skype    RET   access JUSTRETURN
 	84180 skype    CALL  open(0x292b2d49,O_RDONLY,<unused>0)
 	84180 skype    NAMI  "/compat/linux/etc/ld.so.cache"
 	84180 skype    NAMI  "/compat/linux"
 	84180 skype    NAMI  "/compat/linux/etc/ld.so.cache"
 	84180 skype    RET   open 3
 	84180 skype    CALL  freebsd6_mmap(0x3,0xbfbfe324,<invalid>690704336,MAP_SHARED|MAP_PRIVATE|MAP_RENAME|MAP_NORESERVE|MAP_HASSEMAPHORE|MAP_STACK|MAP_NOSYNC,0x2e6f732e,0x68636163,0x646165,0,0,0,0,0,0,0,0,0,... (lots of '0,'s)

The funny thing is kdump itself coredumps when dumping the whole thing out (I
guess that has something todo with this endless '...0,0,0,0,0...' sequence).

Last but not least my kernel config:

	cpu		I686_CPU
	ident		SUSHI
	options 	SCHED_ULE		# ULE scheduler
	options 	PREEMPTION		# Enable kernel thread preemption
	options 	INET			# InterNETworking
	options 	INET6			# IPv6 communications protocols
	options 	SCTP			# Stream Control Transmission Protocol
	options 	FFS			# Berkeley Fast Filesystem
	options 	SOFTUPDATES		# Enable FFS soft updates support
	options 	UFS_DIRHASH		# Improve performance on big directories
	options 	MSDOSFS			# MSDOS Filesystem
	options 	CD9660			# ISO 9660 Filesystem
	options 	PSEUDOFS		# Pseudo-filesystem framework
	options 	GEOM_LABEL		# Provides labelization
	options 	COMPAT_43TTY		# BSD 4.3 TTY compat [KEEP THIS!]
	options 	SCSI_DELAY=5000		# Delay (in ms) before probing SCSI
	options 	KTRACE			# ktrace(1) support
	options 	STACK			# stack(9) support
	options 	SYSVSHM			# SYSV-style shared memory
	options 	SYSVMSG			# SYSV-style message queues
	options 	SYSVSEM			# SYSV-style semaphores
	options 	_KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
	options 	KBD_INSTALL_CDEV	# install a CDEV entry in /dev
	options 	ADAPTIVE_GIANT		# Giant mutex is adaptive.
	options 	STOP_NMI		# Stop CPUS using NMI instead of IPI
	options 	SMP			# Symmetric MultiProcessor Kernel
	device		apic			# I/O APIC
	device		cpufreq
	device		eisa
	device		pci
	device		ata
	device		atadisk		# ATA disk drives
	device		atapicd		# ATAPI CDROM drives
	options 	ATA_STATIC_ID	# Static device numbering
	options 	AHC_REG_PRETTY_PRINT	# Print register bitfields in debug
						# output.  Adds ~128k to driver.
	options 	AHD_REG_PRETTY_PRINT	# Print register bitfields in debug
						# output.  Adds ~215k to driver.
	device		scbus		# SCSI bus (required for SCSI)
	device		da		# Direct Access (disks)
	device		cd		# CD
	device		pass		# Passthrough device (direct SCSI access)
	device		atkbdc		# AT keyboard controller
	device		atkbd		# AT keyboard
	device		psm		# PS/2 mouse
	device		vga		# VGA video card driver
	device		splash		# Splash screen and screen saver support
	device		sc
	device		agp		# support several AGP chipsets
	device		sio		# 8250, 16[45]50 based serial ports
	device		ppc
	device		ppbus		# Parallel port bus (required)
	device		miibus		# MII bus support
	device		re		# RealTek 8139C+/8169/8169S/8110S
	device		wlan		# 802.11 support
	device		wlan_wep	# 802.11 WEP support
	device		wlan_ccmp	# 802.11 CCMP support
	device		wlan_tkip	# 802.11 TKIP support
	device		wlan_amrr	# AMRR transmit rate control algorithm
	device		wlan_scan_ap	# 802.11 AP mode scanning
	device		wlan_scan_sta	# 802.11 STA mode scanning
	device		loop		# Network loopback
	device		random		# Entropy device
	device		ether		# Ethernet support
	device		pty		# Pseudo-ttys (telnet etc)
	device		md		# Memory "disks"
	device		firmware	# firmware assist module
	device		bpf		# Berkeley packet filter
	device		uhci		# UHCI PCI->USB interface
	device		ehci		# EHCI PCI->USB interface (USB 2.0)
	device		usb		# USB Bus (required)
	device		umass		# Disks/Mass storage - Requires scbus and da
	device		ums		# Mouse
	device		firewire	# FireWire bus code
	device		sbp		# SCSI over FireWire (Requires scbus and da)
	device 		atapicam
	device 		sound
	device 		snd_hda
	device 		wpi
	device 		drm
	device 		radeondrm
	options 	NULLFS
	makeoptions	ATKBD_DFLT_KEYMAP=german.iso.acc
	options		IPFIREWALL
	options		IPDIVERT
	options		COMPAT_LINUX

Any help would be appreciated.

Regards Tobias

Tobias Rehbein

PGP key:         4F2AE314
    server:      keys.gnupg.net
    fingerprint: ECDA F300 1B6E 9B87 8524  8663 E8B6 3138 4F2A E314

More information about the freebsd-questions mailing list