Jailing net/skype
Tobias Rehbein
tobias.rehbein at web.de
Sat Sep 13 17:31:12 UTC 2008
Am Thu, Sep 11, 2008 at 07:47:21PM +0200 schrieb Tobias Rehbein:
> I have net/skype installed on my workstation and it just works fine. Now I
> wonder if it's possible to run skype in a jail.
>
> Before I start investing time in this I would like to know if someone has
> done it before or if it would be just a waste of time.
Hello all.
As nobody seems to have experience with this I decided to set up a simple jail
to test this. Unfortunately skype keeps dumping core when I'm trying to start
it. Perhaps someone has a hint for me how to deal with this.
I tried to set up a jail as unrestrictve as possible. My goal was to get whole
thing running and lock down the jail later.
#uname -a
FreeBSD sushi.pseudo.local 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #17:
Thu Sep 11 19:04:40 CEST 2008
tobi at sushi.pseudo.local:/usr/obj/usr/src/sys/SUSHI i386
#sysctl security.jail.
security.jail.jailed: 1
security.jail.mount_allowed: 0
security.jail.chflags_allowed: 0
security.jail.allow_raw_sockets: 1
security.jail.enforce_statfs: 2
security.jail.sysvipc_allowed: 1
security.jail.socket_unixiproute_only: 0
security.jail.set_hostname_allowed: 1
#sysctl compat.linux
compat.linux.oss_version: 198144
compat.linux.osrelease: 2.6.16
compat.linux.osname: Linux
#pkg_info | grep linux_base
linux_base-fc6-6_5 Base set of packages needed in Linux mode (for i386/amd64)
#grep LINUX /etc/make.conf
OVERRIDE_LINUX_BASE_PORT=fc6
devfs is mounted and I use the same ruleset as in the host system.
#kdump -f ktrace.out | head
84180 skype CALL access(0x292b2b61,R_OK)
84180 skype NAMI "/compat/linux/etc/ld.so.preload"
84180 skype NAMI "/etc/ld.so.preload"
84180 skype RET access JUSTRETURN
84180 skype CALL open(0x292b2d49,O_RDONLY,<unused>0)
84180 skype NAMI "/compat/linux/etc/ld.so.cache"
84180 skype NAMI "/compat/linux"
84180 skype NAMI "/compat/linux/etc/ld.so.cache"
84180 skype RET open 3
84180 skype CALL freebsd6_mmap(0x3,0xbfbfe324,<invalid>690704336,MAP_SHARED|MAP_PRIVATE|MAP_RENAME|MAP_NORESERVE|MAP_HASSEMAPHORE|MAP_STACK|MAP_NOSYNC,0x2e6f732e,0x68636163,0x646165,0,0,0,0,0,0,0,0,0,... (lots of '0,'s)
The funny thing is kdump itself coredumps when dumping the whole thing out (I
guess that has something todo with this endless '...0,0,0,0,0...' sequence).
Last but not least my kernel config:
cpu I686_CPU
ident SUSHI
options SCHED_ULE # ULE scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
options INET6 # IPv6 communications protocols
options SCTP # Stream Control Transmission Protocol
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_DIRHASH # Improve performance on big directories
options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_LABEL # Provides labelization
options COMPAT_43TTY # BSD 4.3 TTY compat [KEEP THIS!]
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options STACK # stack(9) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options ADAPTIVE_GIANT # Giant mutex is adaptive.
options STOP_NMI # Stop CPUS using NMI instead of IPI
options SMP # Symmetric MultiProcessor Kernel
device apic # I/O APIC
device cpufreq
device eisa
device pci
device ata
device atadisk # ATA disk drives
device atapicd # ATAPI CDROM drives
options ATA_STATIC_ID # Static device numbering
options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
device scbus # SCSI bus (required for SCSI)
device da # Direct Access (disks)
device cd # CD
device pass # Passthrough device (direct SCSI access)
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device vga # VGA video card driver
device splash # Splash screen and screen saver support
device sc
device agp # support several AGP chipsets
device sio # 8250, 16[45]50 based serial ports
device ppc
device ppbus # Parallel port bus (required)
device miibus # MII bus support
device re # RealTek 8139C+/8169/8169S/8110S
device wlan # 802.11 support
device wlan_wep # 802.11 WEP support
device wlan_ccmp # 802.11 CCMP support
device wlan_tkip # 802.11 TKIP support
device wlan_amrr # AMRR transmit rate control algorithm
device wlan_scan_ap # 802.11 AP mode scanning
device wlan_scan_sta # 802.11 STA mode scanning
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device pty # Pseudo-ttys (telnet etc)
device md # Memory "disks"
device firmware # firmware assist module
device bpf # Berkeley packet filter
device uhci # UHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device usb # USB Bus (required)
device umass # Disks/Mass storage - Requires scbus and da
device ums # Mouse
device firewire # FireWire bus code
device sbp # SCSI over FireWire (Requires scbus and da)
device atapicam
device sound
device snd_hda
device wpi
device drm
device radeondrm
options NULLFS
options ATKBD_DFLT_KEYMAP
makeoptions ATKBD_DFLT_KEYMAP=german.iso.acc
options IPFIREWALL
options IPDIVERT
options COMPAT_LINUX
Any help would be appreciated.
Regards Tobias
--
Tobias Rehbein
PGP key: 4F2AE314
server: keys.gnupg.net
fingerprint: ECDA F300 1B6E 9B87 8524 8663 E8B6 3138 4F2A E314
More information about the freebsd-questions
mailing list