FreeBSD 11.2-RELEASE-p9 jail ping: ssend socket: Operation not permitted

David Christensen dpchrist at holgerdanske.com
Fri Feb 15 02:49:24 UTC 2019 

freebsd-questions:

I have a FreeBSD machine:

root at beastie:~ # freebsd-version ; uname -a
11.2-RELEASE-p9
FreeBSD beastie 11.2-RELEASE-p9 FreeBSD 11.2-RELEASE-p9 #0: Tue Feb  5 
15:30:36 UTC 2019 
root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64


It has one network interface with one alias:

root at beastie:~ # grep ifconfig /etc/rc.conf
ifconfig_em0="inet 192.168.5.9 netmask 255.255.255.0"
ifconfig_em0_alias0="inet 192.168.5.8 netmask 255.255.255.255"


I have created a jail that I plan to use for Samba:

root at beastie:~ # cat /etc/jail.conf
samba {
     host.hostname="samba.tracy.holgerdanske.com";
     ip4.addr="192.168.5.8";
     path="/jail/samba";
     mount.devfs;
     exec.clean;
     exec.start="sh /etc/rc";
     exec.stop="sh /etc/rc.shutdown";
}


I have copied resolv.conf into the jail:

root at beastie:~ # cat /jail/samba/etc/resolv.conf
search tracy.holgerdanske.com
nameserver 192.168.5.1


I have created rc.conf inside the jail:

root at beastie:~ # cat /jail/samba/etc/rc.conf
defaultrouter="192.168.5.1"
ntpd_enable="YES"
sshd_enable="YES"


I have create a dummy fstab inside the jail:

root at beastie:~ # ll /jail/samba/etc/fstab
-rw-r--r--  1 root  wheel  0 2019/02/14 16:16:13 /jail/samba/etc/fstab


I have enabled jails at host startup:

root at beastie:~ # grep jail /etc/rc.conf
jail_enable="YES"


I have enabled jail raw sockets on both the host and inside the jail:

root at beastie:~ # grep jail /etc/sysctl.conf
security.jail.allow_raw_sockets=1

root at beastie:~ # cat /jail/samba/etc/sysctl.conf | grep -v #
security.jail.allow_raw_sockets=1


When I reboot the host:

root at beastie:~ # shutdown -r now


The jail is running:

root at beastie:~ # service jail status
  JID             IP Address      Hostname                      Path
  samba           192.168.5.8     samba.tracy.holgerdanske.com  /jail/samba


Jail raw sockets are enabled on the host:

root at beastie:~ # sysctl security.jail.allow_raw_sockets
security.jail.allow_raw_sockets: 1


But they are disabled in the jail:

root at samba:/ # sysctl security.jail.allow_raw_sockets
security.jail.allow_raw_sockets: 0


The jail network interfaces look good:

root at samba:/ # ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
	ether 54:bf:64:72:38:db
	hwaddr 54:bf:64:72:38:db
	inet 192.168.5.8 netmask 0xffffffff broadcast 192.168.5.8
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	groups: lo


But the jail cannot ping itself, the host, or any other host:

root at beastie:~ # jexec samba /bin/csh -l

root at samba:/ # ping localhost
ping: ssend socket: Operation not permitted

root at samba:/ # ping 192.168.5.9
ping: ssend socket: Operation not permitted

root at samba:/ # ping 192.168.5.1
ping: ssend socket: Operation not permitted


Suggestions?


David

More information about the freebsd-questions mailing list