From nobody Mon Jun 14 19:24:55 2021 X-Original-To: jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 59BBC7EAD6A for ; Mon, 14 Jun 2021 19:24:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G3hGv220Hz4c9f for ; Mon, 14 Jun 2021 19:24:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2E0FD1A7DB for ; Mon, 14 Jun 2021 19:24:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 15EJOt7M087265 for ; Mon, 14 Jun 2021 19:24:55 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 15EJOtN4087264 for jail@FreeBSD.org; Mon, 14 Jun 2021 19:24:55 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: jail@FreeBSD.org Subject: [Bug 256544] jail crashes on config parsing Date: Mon, 14 Jun 2021 19:24:55 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: Unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: jamie@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: jail@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D256544 Jamie Gritton changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jamie@FreeBSD.org --- Comment #3 from Jamie Gritton --- Created attachment 225808 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D225808&action= =3Dedit Don't allow substitution of value-less parameters. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Mon Jun 14 19:26:12 2021 X-Original-To: jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 8A47F7EB07C for ; Mon, 14 Jun 2021 19:26:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G3hJN3GCKz4c8D for ; Mon, 14 Jun 2021 19:26:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5877D1A913 for ; Mon, 14 Jun 2021 19:26:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 15EJQCDL087501 for ; Mon, 14 Jun 2021 19:26:12 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 15EJQCI1087500 for jail@FreeBSD.org; Mon, 14 Jun 2021 19:26:12 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: jail@FreeBSD.org Subject: [Bug 256544] jail crashes on config parsing Date: Mon, 14 Jun 2021 19:26:12 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: Unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: jamie@FreeBSD.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: jamie@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to bug_status Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D256544 Jamie Gritton changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|jail@FreeBSD.org |jamie@FreeBSD.org Status|New |In Progress --- Comment #4 from Jamie Gritton --- Not defined is no problem - but I hadn't considered semi-defined! The patch fills this gap, treating parameters that exist but have no value as not existing for the sake of variable substitution. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Wed Jun 16 14:34:17 2021 X-Original-To: jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id EDD3911D7778 for ; Wed, 16 Jun 2021 14:34:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G4nkd6LtZz4TJt for ; Wed, 16 Jun 2021 14:34:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C28A01D699 for ; Wed, 16 Jun 2021 14:34:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 15GEYHWW094939 for ; Wed, 16 Jun 2021 14:34:17 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 15GEYHws094938 for jail@FreeBSD.org; Wed, 16 Jun 2021 14:34:17 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: jail@FreeBSD.org Subject: [Bug 255830] dummynet(4) queues/pipes do not work inside of a VNET jail Date: Wed, 16 Jun 2021 14:34:17 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: markj@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: jail@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D255830 Mark Johnston changed: What |Removed |Added ---------------------------------------------------------------------------- Status|New |Open CC| |markj@FreeBSD.org --- Comment #6 from Mark Johnston --- It looks like the patches to make dummynet work in vnets have been committe= d: https://cgit.freebsd.org/src/commit/?id=3Dfe3bcfbda30e763a3ec56083b3a19cebb= eaf8952 Based on lack of a MFC tag, I guess this will be 14.0 only? --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Wed Jun 16 14:37:16 2021 X-Original-To: jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 7602C11D8619 for ; Wed, 16 Jun 2021 14:37:16 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G4np42nyPz4TvZ for ; Wed, 16 Jun 2021 14:37:16 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 47C181D7CF for ; Wed, 16 Jun 2021 14:37:16 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 15GEbGGl095630 for ; Wed, 16 Jun 2021 14:37:16 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 15GEbGna095629 for jail@FreeBSD.org; Wed, 16 Jun 2021 14:37:16 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: jail@FreeBSD.org Subject: [Bug 255830] dummynet(4) queues/pipes do not work inside of a VNET jail Date: Wed, 16 Jun 2021 14:37:16 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: jail@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D255830 --- Comment #7 from Kristof Provost --- (In reply to Mark Johnston from comment #6) I do hope to MFC this work, but it's currently incomplete. It's part of an effort to make pf support dummynet, and as part of that I'm also writing a few test cases (which requires the dummynet support). That's revealed at least one bug (when an interface goes away dummynet does not pu= rge queued packets for that interface. When it goes to send them bad things happen.). I'm also having issues with an IPv6 queue test, but I'm still debugging. tl;dr: I hope to eventually MFC this, but right now vnet support in dummynet should be considered experimental. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Fri Jun 18 10:14:24 2021 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1266C5D3944 for ; Fri, 18 Jun 2021 10:15:04 +0000 (UTC) (envelope-from david@schlachter.ca) Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G5vtb2qrwz3lDN for ; Fri, 18 Jun 2021 10:15:03 +0000 (UTC) (envelope-from david@schlachter.ca) Received: by mail-qt1-x82c.google.com with SMTP id o19so7096295qtp.5 for ; Fri, 18 Jun 2021 03:15:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=schlachter-ca.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=OxmpVGGqkRLl/4R9PBukPYP+0NxGIcBp5DKF2SNIPQE=; b=Osm0UBtNo0VpaA0zSwDREF//f0iDr/qTv6IXykdE/qYLfuaMo2RhFSAOkbRokY+MDX 2U6KW8JGojYyWQxCBUDyK3UcmgEvQ4So0ucecHvJHf0Y3VfjIGUn5WdzwN3gatPQnUcB RTzOaxpxzId5hFPY1xM/JMu712ko/2j+8/hfJ2k+/OxodQiegG1iuT0hMRe0VaZm7PU5 lof2PZz7DTaULvgXt/igZ92U9jWOOKBqSOUmFNOqlXW2YZ24Lnw25Q+tg2o+oxpYrIlD VDV+Z6wmKJItgIoziulHvwygMvymHGa7qNqHxDdD7Jk5tS2XWLqOmYmN4DG5UNjXqzeh 7a8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=OxmpVGGqkRLl/4R9PBukPYP+0NxGIcBp5DKF2SNIPQE=; b=YCzE+PfFflgxyV6EMkm2ThMHiVWlK5PKd63+JXIhSCxaWkHhzsk/8Q0SnaG7iSJbqv MxGIjCLL+vtrcjJya0TJOR5ukHq8/ZEZZVYjRL/F99I+l1P5Cijh4+TA6Gixo0vEoclJ BIre2+qiDVkdfhrXUsbLxh+GGAPwb5Xq/lLqovJUjL91Zt/78Bw8H0QtcmXsiD5bfahx O+jcL+2Kl7M1FWHlqRvIiOqWzCpYF8sIox1ku6yYFDvV68gtr/TlHWgYpXDn4f6PG+wc AaDFdqqoYWClOaXZ6ZWYZVtzUvd9zJyXP+myaxtYz1w25pFpn8DIxxJtJ+ZDNL2rX1K0 yOzA== X-Gm-Message-State: AOAM530+4+p/dV2taHafGRZs93xIDkK/moouxayqyZGbWWSPChr/Nrun bakc6+19CXO7jqt3EVoqcUnn8Zgu41TdOK4sYG8ALsE0FsS2MuIC X-Google-Smtp-Source: ABdhPJwQ+kqo3dguycHG5nnL1vVC2lm8V5gZH4sePMIDNNlbfwC6sgHmM4flqcQ3e9cjhk8HaEE6JnAoVllLD+4tgEE= X-Received: by 2002:ac8:4b4c:: with SMTP id e12mr9862355qts.78.1624011300718; Fri, 18 Jun 2021 03:15:00 -0700 (PDT) List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 From: David Schlachter Date: Fri, 18 Jun 2021 06:14:24 -0400 Message-ID: Subject: Only root can access a fusefs mount in a jail? To: freebsd-jail@freebsd.org Content-Type: multipart/alternative; boundary="000000000000b0dcec05c5079883" X-Rspamd-Queue-Id: 4G5vtb2qrwz3lDN X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=schlachter-ca.20150623.gappssmtp.com header.s=20150623 header.b=Osm0UBtN; dmarc=none; spf=pass (mx1.freebsd.org: domain of david@schlachter.ca designates 2607:f8b0:4864:20::82c as permitted sender) smtp.mailfrom=david@schlachter.ca X-Spamd-Result: default: False [-0.53 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[schlachter-ca.20150623.gappssmtp.com:s=20150623]; FREEFALL_USER(0.00)[david]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::82c:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::82c:from:127.0.2.255]; DMARC_NA(0.00)[schlachter.ca]; NEURAL_SPAM_SHORT(0.97)[0.968]; DKIM_TRACE(0.00)[schlachter-ca.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::82c:from]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-jail] X-Spam: Yes X-ThisMailContainsUnwantedMimeParts: Y --000000000000b0dcec05c5079883 Content-Type: text/plain; charset="UTF-8" Hi all, I posted about this in the iocage issues on Github yesterday [1], but I wonder if it's an underlying issue with jails and fusefs. Summary: in a jail, root can mount and use a fusefs filesystem, but non-root users are not able to access it (with appropriate permissions). I'd appreciate any insight on how I could allow regular users to use such a filesystem (mounted by root). Detailed description to reproduce: Create a jail with the options: - allow_mount: 1 - allow_mount_fusefs: 1 - enforce_statfs: 1 On the host, ensure the fusefs kernel module is loaded. In the guest, add an unprivileged user (e.g. UID=1001), then install fusefs-sshfs and use it to mount a remote server: # sshfs -o uid=1001,gid=1001 user@server.tld: /mnt Root is able to ls the mount, add & remove files, etc. root@fuse-jail:~ # ls -la /mnt total 4545 drwxr-x--x 1 user user 84 Jun 17 18:51 . drwxr-xr-x 20 root wheel 25 May 30 22:14 .. -rw------- 1 user user 2867 Apr 9 2019 .bash_history -rw-r--r-- 1 user user 9286 Jun 17 06:00 .bash_profile lrwxr-xr-x 1 user user 52 Jan 23 2020 .bashrc drwx------ 1 user user 12 May 18 12:49 .cache ... However, the unprivileged user cannot, despite being the owner of the directory. user@fuse-jail:~ % ls -la / ... drwxr-x--x 1 user user 84 Jun 17 18:51 mnt ... user@fuse-jail:~ % ls -la /mnt total 0 ls: /mnt: Operation not permitted Expected behaviour is that user can access /mnt. Thanks in advance for any ideas! David [1] https://github.com/iocage/iocage/issues/1261 --000000000000b0dcec05c5079883-- From nobody Fri Jun 18 10:59:43 2021 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 7656D5D5DCE for ; Fri, 18 Jun 2021 10:59:56 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from mail.rlwinm.de (mail.rlwinm.de [IPv6:2a01:4f8:171:f902::5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4G5wtM59g4z3n8R for ; Fri, 18 Jun 2021 10:59:55 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from alteisen.fritz.box (200116b864c4f40044cd5dd15527afe4.dip.versatel-1u1.de [IPv6:2001:16b8:64c4:f400:44cd:5dd1:5527:afe4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.rlwinm.de (Postfix) with ESMTPSA id 2BF52DF05 for ; Fri, 18 Jun 2021 10:59:47 +0000 (UTC) Subject: Re: Only root can access a fusefs mount in a jail? To: freebsd-jail@freebsd.org References: From: Crest Message-ID: <5277b3d5-dd8a-bb45-5dbd-aa9c66d9ce72@rlwinm.de> Date: Fri, 18 Jun 2021 12:59:43 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Rspamd-Queue-Id: 4G5wtM59g4z3n8R X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of crest@rlwinm.de designates 2a01:4f8:171:f902::5 as permitted sender) smtp.mailfrom=crest@rlwinm.de X-Spamd-Result: default: False [-2.30 / 15.00]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a01:4f8:171:f902::5:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2a01:4f8:171:f902::5:from:127.0.2.255]; RECEIVED_SPAMHAUS_PBL(0.00)[2001:16b8:64c4:f400:44cd:5dd1:5527:afe4:received]; ARC_NA(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; DMARC_NA(0.00)[rlwinm.de]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE]; SUBJECT_ENDS_QUESTION(1.00)[]; MAILMAN_DEST(0.00)[freebsd-jail]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N On 18.06.21 12:14, David Schlachter wrote: > Hi all, > > I posted about this in the iocage issues on Github yesterday [1], but I > wonder if it's an underlying issue with jails and fusefs. Summary: in a > jail, root can mount and use a fusefs filesystem, but non-root itusers are > not able to access it (with appropriate permissions). I'd appreciate any > insight on how I could allow regular users to use such a filesystem > (mounted by root). > > Detailed description to reproduce: > > Create a jail with the options: > - allow_mount: 1 > - allow_mount_fusefs: 1 > - enforce_statfs: 1 > > On the host, ensure the fusefs kernel module is loaded. In the guest, add > an unprivileged user (e.g. UID=1001), then install fusefs-sshfs and use it > to mount a remote server: > > # sshfs -o uid=1001,gid=1001 user@server.tld: /mnt > > Root is able to ls the mount, add & remove files, etc. > > root@fuse-jail:~ # ls -la /mnt > total 4545 > drwxr-x--x 1 user user 84 Jun 17 18:51 . > drwxr-xr-x 20 root wheel 25 May 30 22:14 .. > -rw------- 1 user user 2867 Apr 9 2019 .bash_history > -rw-r--r-- 1 user user 9286 Jun 17 06:00 .bash_profile > lrwxr-xr-x 1 user user 52 Jan 23 2020 .bashrc > drwx------ 1 user user 12 May 18 12:49 .cache > ... > > However, the unprivileged user cannot, despite being the owner of the > directory. > > user@fuse-jail:~ % ls -la / > ... > drwxr-x--x 1 user user 84 Jun 17 18:51 mnt > ... > > user@fuse-jail:~ % ls -la /mnt > total 0 > ls: /mnt: Operation not permitted > > Expected behaviour is that user can access /mnt. > > Thanks in advance for any ideas! > David To mount a FUSE file system you need write access to the fuse device and the permission to mount a file system. The first is controlled by permissions on the fuse device(s) the second is controlled through the vfs.usermount sysctl. By default only root is allowed to mount file systems. From nobody Fri Jun 18 13:00:31 2021 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1CAC47CD68F for ; Fri, 18 Jun 2021 13:01:11 +0000 (UTC) (envelope-from david@schlachter.ca) Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G5zZG0t4Tz4QmL for ; Fri, 18 Jun 2021 13:01:09 +0000 (UTC) (envelope-from david@schlachter.ca) Received: by mail-qk1-x72d.google.com with SMTP id j62so10648838qke.10 for ; Fri, 18 Jun 2021 06:01:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=schlachter-ca.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=b4fniMuwZ1xcyyulsUP4c4q5TfqjhO5dvEc+oTGUA1U=; b=rjKbwJ9TPegXlVOGZP/wHQpNbHRBwtnBD9NIAVfkJRrM9/VMub4RBHW2P2xDADxKDX rA8jLF17Vsn3fexIMDP7U+uhb0c0N3na5l39vTIhTuIiLkDaKTMgzM/jN7xk2KBuoVPB guCSwpZNQdZytQ10rHtved+XWO7ElEK1HWgUKZvkSLIcLVaQwgOAte9ammDrS1wREwHN a/Q2dz0u1/YP3aXRHNDcKtIw1MWDZ/8TI3ytIf0mzpsP+5dHA8DuONSktelhd7ooU3Oj XhUX3iAQ1aF40zn+AF0KJAbc6yTiEhz5S8kS4D55C2bZLIsH8Fd6lXiN+30yvOe4LmWO a9ag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=b4fniMuwZ1xcyyulsUP4c4q5TfqjhO5dvEc+oTGUA1U=; b=ci/1eS/MLv1D3rU8ZGJMYKXnQ6/d59pgVCm+VbhwKIKj6ZRkuWmP4lpXrCh0pL9y1h FsmvSBaYKOHCt6yOXcwrNoh2ZWvZz+Vt+pxf3MkpT3MqlUG6sR6fYUgNMQvrzkvbfNPH qhQ7zkJ5BQ728xNNJcu9A8GIma0t2kCoTCj3O44mGNQFrosL/6f/G/yXXSRmVNJPGwVw jBbB1gCcWk4vUsagSdYqiiMGGLFv1usn8l4KdLlVcOFAWWq9HRC6vaZ3N+2JMjA6JxRl RX9Q1ALuhGj9xI7mGkmuiIDJkW7gipZ23yaACzKaz/sqHS3m3ugvPdumXYQF5iPfN6pa 5zBg== X-Gm-Message-State: AOAM5305Xm74OvXh26gMvHLTmX4HHncowG847Ba7hq03ZM/1/WP5yoyt m/cDht/ZuNz4dyiy8naSlkQcxjou0Ies5cTTD+yVY2es2ecaUS5V X-Google-Smtp-Source: ABdhPJxcybCufv0rU7aZpU8JgwHrJUplFp764lZxMUwBD11vwgZSZ3kZyze/mvnbdgNpKdiMGknv49f9GE/Ja3JVkz8= X-Received: by 2002:a37:a283:: with SMTP id l125mr9340069qke.476.1624021268381; Fri, 18 Jun 2021 06:01:08 -0700 (PDT) List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 References: <5277b3d5-dd8a-bb45-5dbd-aa9c66d9ce72@rlwinm.de> In-Reply-To: <5277b3d5-dd8a-bb45-5dbd-aa9c66d9ce72@rlwinm.de> From: David Schlachter Date: Fri, 18 Jun 2021 09:00:31 -0400 Message-ID: Subject: Re: Only root can access a fusefs mount in a jail? To: freebsd-jail@freebsd.org Content-Type: multipart/alternative; boundary="000000000000cf580805c509ea00" X-Rspamd-Queue-Id: 4G5zZG0t4Tz4QmL X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=schlachter-ca.20150623.gappssmtp.com header.s=20150623 header.b=rjKbwJ9T; dmarc=none; spf=pass (mx1.freebsd.org: domain of david@schlachter.ca designates 2607:f8b0:4864:20::72d as permitted sender) smtp.mailfrom=david@schlachter.ca X-Spamd-Result: default: False [-2.41 / 15.00]; RCVD_TLS_ALL(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::72d:from]; R_DKIM_ALLOW(-0.20)[schlachter-ca.20150623.gappssmtp.com:s=20150623]; FREEFALL_USER(0.00)[david]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::72d:from:127.0.2.255]; ARC_NA(0.00)[]; DKIM_TRACE(0.00)[schlachter-ca.20150623.gappssmtp.com:+]; NEURAL_HAM_SHORT(-0.91)[-0.914]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::72d:from]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; DMARC_NA(0.00)[schlachter.ca]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-jail] X-ThisMailContainsUnwantedMimeParts: Y --000000000000cf580805c509ea00 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Le ven. 18 juin 2021, =C3=A0 07 h 00, Crest a =C3=A9crit = : > To mount a FUSE file system you need write access to the fuse device and > the permission to mount a file system. The first is controlled by > permissions on the fuse device(s) the second is controlled through the > vfs.usermount sysctl. By default only root is allowed to mount file > systems. Thanks for your reply! In my jail, root is able to mount a fuse device. If the permissions on the mounted device (and its contents) are 0777, I expect that all other users in the jail should be able to view the contents of the mount (e.g. cd in to the mount, ls the files, etc). However, even though the device is mounted and the permissions should allow all other users to access the mount, only root can actually access it. I want root to be able to mount the device, and all other users to access it. David --000000000000cf580805c509ea00--