FreeBSD 11.2-RELEASE-p9 jail ping: ssend socket: Operation not permitted
Arthur Chance
freebsd at qeng-ho.org
Fri Feb 15 08:16:45 UTC 2019
On 15/02/2019 02:41, David Christensen wrote:
> freebsd-questions:
>
> I have a FreeBSD machine:
>
> root at beastie:~ # freebsd-version ; uname -a
> 11.2-RELEASE-p9
> FreeBSD beastie 11.2-RELEASE-p9 FreeBSD 11.2-RELEASE-p9 #0: Tue Feb 5
> 15:30:36 UTC 2019
> root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
>
>
> It has one network interface with one alias:
>
> root at beastie:~ # grep ifconfig /etc/rc.conf
> ifconfig_em0="inet 192.168.5.9 netmask 255.255.255.0"
> ifconfig_em0_alias0="inet 192.168.5.8 netmask 255.255.255.255"
>
>
> I have created a jail that I plan to use for Samba:
>
> root at beastie:~ # cat /etc/jail.conf
> samba {
> host.hostname="samba.tracy.holgerdanske.com";
> ip4.addr="192.168.5.8";
> path="/jail/samba";
> mount.devfs;
> exec.clean;
> exec.start="sh /etc/rc";
> exec.stop="sh /etc/rc.shutdown";
> }
>
>
> I have copied resolv.conf into the jail:
>
> root at beastie:~ # cat /jail/samba/etc/resolv.conf
> search tracy.holgerdanske.com
> nameserver 192.168.5.1
>
>
> I have created rc.conf inside the jail:
>
> root at beastie:~ # cat /jail/samba/etc/rc.conf
> defaultrouter="192.168.5.1"
> ntpd_enable="YES"
> sshd_enable="YES"
>
>
> I have create a dummy fstab inside the jail:
>
> root at beastie:~ # ll /jail/samba/etc/fstab
> -rw-r--r-- 1 root wheel 0 2019/02/14 16:16:13 /jail/samba/etc/fstab
>
>
> I have enabled jails at host startup:
>
> root at beastie:~ # grep jail /etc/rc.conf
> jail_enable="YES"
>
>
> I have enabled jail raw sockets on both the host and inside the jail:
>
> root at beastie:~ # grep jail /etc/sysctl.conf
> security.jail.allow_raw_sockets=1
>
> root at beastie:~ # cat /jail/samba/etc/sysctl.conf | grep -v #
> security.jail.allow_raw_sockets=1
>
>
> When I reboot the host:
>
> root at beastie:~ # shutdown -r now
>
>
> The jail is running:
>
> root at beastie:~ # service jail status
> JID IP Address Hostname Path
> samba 192.168.5.8 samba.tracy.holgerdanske.com /jail/samba
>
>
> Jail raw sockets are enabled on the host:
>
> root at beastie:~ # sysctl security.jail.allow_raw_sockets
> security.jail.allow_raw_sockets: 1
>
>
> But they are disabled in the jail:
>
> root at samba:/ # sysctl security.jail.allow_raw_sockets
> security.jail.allow_raw_sockets: 0
>
>
> The jail network interfaces look good:
>
> root at samba:/ # ifconfig
> em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
>
> ether 54:bf:64:72:38:db
> hwaddr 54:bf:64:72:38:db
> inet 192.168.5.8 netmask 0xffffffff broadcast 192.168.5.8
> media: Ethernet autoselect (1000baseT <full-duplex>)
> status: active
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
> groups: lo
>
>
> But the jail cannot ping itself, the host, or any other host:
>
> root at beastie:~ # jexec samba /bin/csh -l
>
> root at samba:/ # ping localhost
> ping: ssend socket: Operation not permitted
>
> root at samba:/ # ping 192.168.5.9
> ping: ssend socket: Operation not permitted
>
> root at samba:/ # ping 192.168.5.1
> ping: ssend socket: Operation not permitted
>
>
> Suggestions?
>
Read the manual entry for jail(8). Specifically this bit
allow.raw_sockets
The jail root is allowed to create raw sockets. Setting
this parameter allows utilities like ping(8) and
traceroute(8) to operate inside the jail. If this is
set, the source IP addresses are enforced to comply with
the IP address bound to the jail, regardless of whether
or not the IP_HDRINCL flag has been set on the socket.
Since raw sockets can be used to configure and interact
with various network subsystems, extra caution should be
used where privileged access to jails is given out to
untrusted parties.
--
Always learn from the mistakes of others, because you won't live long
enough to learn from making all possible mistakes yourself.
More information about the freebsd-questions
mailing list