From owner-trustedbsd-discuss@freebsd.org Sun Nov 29 12:51:18 2020 Return-Path: Delivered-To: trustedbsd-discuss@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8E2794A12FC; Sun, 29 Nov 2020 12:51:18 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CkSsf3VgZz4ZGW; Sun, 29 Nov 2020 12:51:18 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mx1.sbone.de (cross.sbone.de [195.201.62.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) (Authenticated sender: bz/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 429D0231C6; Sun, 29 Nov 2020 12:51:18 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id CB2F58D4A166; Sun, 29 Nov 2020 12:51:16 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 22AE9E707C7; Sun, 29 Nov 2020 12:51:16 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id zA18_IwF1If9; Sun, 29 Nov 2020 12:51:13 +0000 (UTC) Received: from [127.0.0.1] (unknown [IPv6:fde9:577b:c1a9:4902:20d4:cd87:918b:4dde]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 841D2E707C2; Sun, 29 Nov 2020 12:51:13 +0000 (UTC) From: "Bjoern A. Zeeb" To: "Kyle Evans" , "James Gritton" Cc: freebsd-jail , freebsd-arch@freebsd.org, trustedbsd-discuss@freebsd.org Subject: Re: RFC: Jail privsets Date: Sun, 29 Nov 2020 12:51:12 +0000 X-Mailer: MailMate (2.0BETAr6151) Message-ID: In-Reply-To: References: <06F654BB-B087-4AE5-8599-E5837A85A850@FreeBSD.org> <6BA03DAD-BDCD-4A53-A80A-4B7B476B803C@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-BeenThere: trustedbsd-discuss@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Nov 2020 12:51:18 -0000 On 28 Nov 2020, at 14:39, Kyle Evans wrote: Hi, Cc: jamie explicitly as he might have thoughts as well. > Yeah, so jail sets are a little tricky, and to be honest I haven't > really thought about how to cope with common jail sets. The > complication arises because you have various allow flags that > typically default to off and turn privileges on, but your common sets > would have to include them. So, you'd probably end up with: > > privset 0: All privs available to the superuser (not considering > superuser policy just yet) > privset 1: All privs available to jails (assuming most permissive, all > allow flags on and assuming a new vnet on VIMAGE systems) > > So jails would typically inherit privset 1, but they'd have to mask > out based on vnet/allow flags out of necessity. Now, that's not > terrible, but I think we'd have to do a couple more things to reduce > maintenance burden on folks introducing privs: > > 1.) Clearly define a central table that maps pr_flags <-> privs where > there's a 1:1 mapping (most common, though PRIV_VFS_*MOUNT* are a > little more complicated) > 2.) Walk said table when we're defining privs in privset 1 > 3.) Walk said table when we're determining what to mask out > > I suspect the vnet set is large enough that we'd just have a separate > kernel-internal mask for "vnet privs". In any event, for most people, > there will be one of three places that you might touch when adding a > new priv flag or pr_flag mapping to a priv, but it should still be > obvious what you want: either you want a conditionally added flag, you > want to influence the default jail policy, or you want to change the > vnet policy. The latter two scenarios might even be a little easier, > because you don't need to wade through these gigantic switch > statements with a lot of cases to determine where you really want it > to go. I think this is all terribly too complicated. If we’ll have manageable fine-grained priv system, them retire allow and vnet checks for PRIV_* checks and be done with it. If we need new PRIV_* checks to accomplish that adding PRIV_* is semi-cheap to add. The big switch statements in kern_jail.c will go as the applied priv set will do the right thing already, which means at this point we’d have a base-system-privset, a classic-jail-privset, a vnet-jail-privset by default probably. If we want to keep allow* in jails we can probably make them compat code to adjust PRIV_* but I am not sure I’d want jail to still do that or a separate priv command (a la cpuset). Means jails become simple again and a lot of the complicate logic can drop out. >> And yes, that would indeed simplify our jail and network stack (and some >> other) >> code quite a bit. >> >> I’d love this (step-by-step or in whole right away) :-) >> > > :-) > > I'm looking to see if I can define a useful abstraction from > cpuset/domainset that would limit the amount of duplication needed for > this, then I'll post a v2 to Phabricator. There’s probably edge cases in which managing privsets will be a priv as well and we’ll probably need multiple cases: one that can still “widen” priv and one that can only copy-and-further-restrict-only. The latter probably being the default. /bz From owner-trustedbsd-discuss@freebsd.org Sun Nov 29 15:34:00 2020 Return-Path: Delivered-To: trustedbsd-discuss@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3AEEF4A5693; Sun, 29 Nov 2020 15:34:00 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CkXTN15Zbz4m7r; Sun, 29 Nov 2020 15:34:00 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from mail-qt1-f181.google.com (mail-qt1-f181.google.com [209.85.160.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) (Authenticated sender: kevans) by smtp.freebsd.org (Postfix) with ESMTPSA id 137BD24563; Sun, 29 Nov 2020 15:34:00 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: by mail-qt1-f181.google.com with SMTP id k4so1821686qtj.10; Sun, 29 Nov 2020 07:34:00 -0800 (PST) X-Gm-Message-State: AOAM5332+zxGyKIYu64w8dxgq8bW6bN+ggzbZb+00g6HGEND69Gwxzqk dqw0FTdFCN4kWGFM0dv31OMZ3HFf3yZKpysi3Gs= X-Google-Smtp-Source: ABdhPJwt4wWA6TB+MdFxhKXGba9zwtDkH4LTSlpJZrGx6P8qjaDA4J65koWLHyQ1WBjROcwNHz3IwSCtkfDXUFAjezw= X-Received: by 2002:ac8:5345:: with SMTP id d5mr17864902qto.60.1606664039506; Sun, 29 Nov 2020 07:33:59 -0800 (PST) MIME-Version: 1.0 References: <06F654BB-B087-4AE5-8599-E5837A85A850@FreeBSD.org> <6BA03DAD-BDCD-4A53-A80A-4B7B476B803C@FreeBSD.org> In-Reply-To: From: Kyle Evans Date: Sun, 29 Nov 2020 09:33:48 -0600 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: RFC: Jail privsets To: "Bjoern A. Zeeb" Cc: James Gritton , freebsd-jail , "freebsd-arch@freebsd.org" , trustedbsd-discuss@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-BeenThere: trustedbsd-discuss@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Nov 2020 15:34:00 -0000 On Sun, Nov 29, 2020 at 6:51 AM Bjoern A. Zeeb wrote: > > On 28 Nov 2020, at 14:39, Kyle Evans wrote: > > Hi, > > Cc: jamie explicitly as he might have thoughts as well. > > > Yeah, so jail sets are a little tricky, and to be honest I haven't > > really thought about how to cope with common jail sets. The > > complication arises because you have various allow flags that > > typically default to off and turn privileges on, but your common sets > > would have to include them. So, you'd probably end up with: > > > > privset 0: All privs available to the superuser (not considering > > superuser policy just yet) > > privset 1: All privs available to jails (assuming most permissive, all > > allow flags on and assuming a new vnet on VIMAGE systems) > > > > So jails would typically inherit privset 1, but they'd have to mask > > out based on vnet/allow flags out of necessity. Now, that's not > > terrible, but I think we'd have to do a couple more things to reduce > > maintenance burden on folks introducing privs: > > > > 1.) Clearly define a central table that maps pr_flags <-> privs where > > there's a 1:1 mapping (most common, though PRIV_VFS_*MOUNT* are a > > little more complicated) > > 2.) Walk said table when we're defining privs in privset 1 > > 3.) Walk said table when we're determining what to mask out > > > > I suspect the vnet set is large enough that we'd just have a separate > > kernel-internal mask for "vnet privs". In any event, for most people, > > there will be one of three places that you might touch when adding a > > new priv flag or pr_flag mapping to a priv, but it should still be > > obvious what you want: either you want a conditionally added flag, you > > want to influence the default jail policy, or you want to change the > > vnet policy. The latter two scenarios might even be a little easier, > > because you don't need to wade through these gigantic switch > > statements with a lot of cases to determine where you really want it > > to go. > > I think this is all terribly too complicated. > > If we=E2=80=99ll have manageable fine-grained priv system, them retire al= low and > vnet checks for PRIV_* checks and be done with it. If we need new PRIV_* > checks to accomplish that adding PRIV_* is semi-cheap to add. > > The big switch statements in kern_jail.c will go as the applied priv set > will do the right thing already, which means at this point we=E2=80=99d h= ave > a base-system-privset, a classic-jail-privset, a vnet-jail-privset by > default probably. > > If we want to keep allow* in jails we can probably make them compat code > to adjust PRIV_* but I am not sure I=E2=80=99d want jail to still do that= or a > separate priv command (a la cpuset). > > Means jails become simple again and a lot of the complicate logic can > drop out. > Sure- I'm not so sure about vnet, but all of the allow flags could get deprecated in favor of describing the privs available somewhere and letting admin make decisions. I think the vnet set still makes a lot of sense unless you're also proposing that we could just create new vnets if one of those privileges is turned on -- in which case, we'd still have to manage the set, but it wouldn't be used much beyond a hint mask that we need to create a vnet. > >> And yes, that would indeed simplify our jail and network stack (and so= me > >> other) > >> code quite a bit. > >> > >> I=E2=80=99d love this (step-by-step or in whole right away) :-) > >> > > > > :-) > > > > I'm looking to see if I can define a useful abstraction from > > cpuset/domainset that would limit the amount of duplication needed for > > this, then I'll post a v2 to Phabricator. > > There=E2=80=99s probably edge cases in which managing privsets will be a = priv as > well and we=E2=80=99ll probably need multiple cases: one that can still = =E2=80=9Cwiden=E2=80=9D > priv and one that can only copy-and-further-restrict-only. The latter > probably being the default. > True enough. From owner-trustedbsd-discuss@freebsd.org Sun Nov 29 15:41:39 2020 Return-Path: Delivered-To: trustedbsd-discuss@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id ECDC24A5CB1; Sun, 29 Nov 2020 15:41:39 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CkXfC6Dt5z4mf6; Sun, 29 Nov 2020 15:41:39 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mx1.sbone.de (cross.sbone.de [195.201.62.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) (Authenticated sender: bz/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id AEF7124177; Sun, 29 Nov 2020 15:41:39 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id A61058D4A166; Sun, 29 Nov 2020 15:41:38 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 273DEE707C7; Sun, 29 Nov 2020 15:41:38 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id mvFUICsQe4UG; Sun, 29 Nov 2020 15:41:37 +0000 (UTC) Received: from [127.0.0.1] (unknown [IPv6:fde9:577b:c1a9:4902:20d4:cd87:918b:4dde]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id B69CCE707C2; Sun, 29 Nov 2020 15:41:36 +0000 (UTC) From: "Bjoern A. Zeeb" To: "Kyle Evans" Cc: "James Gritton" , freebsd-jail , freebsd-arch@freebsd.org, trustedbsd-discuss@freebsd.org Subject: Re: RFC: Jail privsets Date: Sun, 29 Nov 2020 15:41:36 +0000 X-Mailer: MailMate (2.0BETAr6151) Message-ID: In-Reply-To: References: <06F654BB-B087-4AE5-8599-E5837A85A850@FreeBSD.org> <6BA03DAD-BDCD-4A53-A80A-4B7B476B803C@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: trustedbsd-discuss@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Nov 2020 15:41:40 -0000 On 29 Nov 2020, at 15:33, Kyle Evans wrote: > Sure- I'm not so sure about vnet, but all of the allow flags could get > deprecated in favor of describing the privs available somewhere and > letting admin make decisions. I think the vnet set still makes a lot > of sense unless you're also proposing that we could just create new > vnets if one of those privileges is turned on -- in which case, we'd > still have to manage the set, but it wouldn't be used much beyond a > hint mask that we need to create a vnet. What I am thinking of is a /etc/defaults/devfs.rules a-like set of privs describing base, jail, jailvnet and then pick appropriately if the jail gets created with vnet (though I can imagine some people extending a default jail set — e.g. for raw sockets — or removing some privs from a vnet jail set). The tricky bit would be to manage the header file and the text description, but having a default wildcard of “*” or “all” for base would probably catch the most cases. /bz From owner-trustedbsd-discuss@freebsd.org Sun Nov 29 20:09:23 2020 Return-Path: Delivered-To: trustedbsd-discuss@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C6AF54ABCBA; Sun, 29 Nov 2020 20:09:23 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org (gritton.org [199.192.165.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ckfb74nkjz3MJs; Sun, 29 Nov 2020 20:09:23 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org ([127.0.0.131]) (authenticated bits=0) by gritton.org (8.15.2/8.15.2) with ESMTPA id 0ATK9Ggf019835; Sun, 29 Nov 2020 12:09:16 -0800 (PST) (envelope-from jamie@freebsd.org) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Sun, 29 Nov 2020 12:09:16 -0800 From: James Gritton To: "Bjoern A. Zeeb" Cc: Kyle Evans , freebsd-jail , freebsd-arch@freebsd.org, trustedbsd-discuss@freebsd.org Subject: Re: RFC: Jail privsets In-Reply-To: References: <06F654BB-B087-4AE5-8599-E5837A85A850@FreeBSD.org> <6BA03DAD-BDCD-4A53-A80A-4B7B476B803C@FreeBSD.org> User-Agent: Roundcube Webmail/1.4.1 Message-ID: <782331951af5589aac5d6225a274cc60@freebsd.org> X-Sender: jamie@freebsd.org X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (gritton.org [127.0.0.131]); Sun, 29 Nov 2020 13:09:16 -0700 (MST) X-Rspamd-Queue-Id: 4Ckfb74nkjz3MJs X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: trustedbsd-discuss@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Nov 2020 20:09:23 -0000 On 2020-11-29 04:51, Bjoern A. Zeeb wrote: > On 28 Nov 2020, at 14:39, Kyle Evans wrote: > > Hi, > > Cc: jamie explicitly as he might have thoughts as well. Heh - I've been following along, and my thought have mostly consisted of "well this is interesting and complicated." :-) >> Yeah, so jail sets are a little tricky, and to be honest I haven't >> really thought about how to cope with common jail sets. The >> complication arises because you have various allow flags that >> typically default to off and turn privileges on, but your common sets >> would have to include them. So, you'd probably end up with: >> >> privset 0: All privs available to the superuser (not considering >> superuser policy just yet) >> privset 1: All privs available to jails (assuming most permissive, all >> allow flags on and assuming a new vnet on VIMAGE systems) >> >> So jails would typically inherit privset 1, but they'd have to mask >> out based on vnet/allow flags out of necessity. Now, that's not >> terrible, but I think we'd have to do a couple more things to reduce >> maintenance burden on folks introducing privs: >> >> 1.) Clearly define a central table that maps pr_flags <-> privs where >> there's a 1:1 mapping (most common, though PRIV_VFS_*MOUNT* are a >> little more complicated) >> 2.) Walk said table when we're defining privs in privset 1 >> 3.) Walk said table when we're determining what to mask out >> >> I suspect the vnet set is large enough that we'd just have a separate >> kernel-internal mask for "vnet privs". In any event, for most people, >> there will be one of three places that you might touch when adding a >> new priv flag or pr_flag mapping to a priv, but it should still be >> obvious what you want: either you want a conditionally added flag, you >> want to influence the default jail policy, or you want to change the >> vnet policy. The latter two scenarios might even be a little easier, >> because you don't need to wade through these gigantic switch >> statements with a lot of cases to determine where you really want it >> to go. > > I think this is all terribly too complicated. > > If we’ll have manageable fine-grained priv system, them retire allow > and > vnet checks for PRIV_* checks and be done with it. If we need new > PRIV_* > checks to accomplish that adding PRIV_* is semi-cheap to add. > > The big switch statements in kern_jail.c will go as the applied priv > set > will do the right thing already, which means at this point we’d have > a base-system-privset, a classic-jail-privset, a vnet-jail-privset by > default probably. > > If we want to keep allow* in jails we can probably make them compat > code > to adjust PRIV_* but I am not sure I’d want jail to still do that or a > separate priv command (a la cpuset). > > Means jails become simple again and a lot of the complicate logic can > drop out. I'm not against deprecating the allow.* hooks, but I suspect they'll end up sticking around a long time (forever) in deprecated form. I've considered removing the old global security.jail.whatever_allowed sysctls that cause more confusion than anything else, and kind of had to give it up against a wall of concern that somebody out there still used it. I'll admit that the proliferation of allow.mount.foofs is kind of abomination, but that's kind of how things grew up, and there isn't a good fit with the current priv system. It could well be that all of those are unnecessary and we either trust jails to mount all of the filesystems of none of the filesystems. However it works out, I agree that a single view of privilege management makes more sense than multiple ways of saying the same thing. So I (without having studied it much) tend to agree with the idea of reducing the jail/priv shim layer as much as possible. I'm just not sure how possible it will be. - Jamie From owner-trustedbsd-discuss@freebsd.org Wed Dec 2 13:53:02 2020 Return-Path: Delivered-To: trustedbsd-discuss@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E100A47BB59 for ; Wed, 2 Dec 2020 13:53:02 +0000 (UTC) (envelope-from 0100017623b4bca2-f68b3a3e-6b9c-4248-8b6d-68024da2cdda-000000@amazonses.com) Received: from cyrus.watson.org (cyrus.watson.org [204.107.128.30]) by mx1.freebsd.org (Postfix) with ESMTP id 4CmL5V2qyYz4pJV for ; Wed, 2 Dec 2020 13:53:02 +0000 (UTC) (envelope-from 0100017623b4bca2-f68b3a3e-6b9c-4248-8b6d-68024da2cdda-000000@amazonses.com) Received: from a9-54.smtp-out.amazonses.com (a9-54.smtp-out.amazonses.com [54.240.9.54]) by cyrus.watson.org (Postfix) with ESMTPS id 7722D8EAE7 for ; Wed, 2 Dec 2020 13:46:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1606916816; h=Date:To:From:Reply-To:Subject:Message-ID:List-Unsubscribe:MIME-Version:Content-Type:Feedback-ID; bh=z6AZOsHqtsAqTGQ8cFtVOGAWT/La0J7dotvj8/5K9fs=; b=EZ52BMAXu4SZbq1OKLy+ehdL9DdUWbmzsil9zVLxl7OrDXMtkQJC85/fwvNijwh/ 9acNKPU57aYvruKuYGhcyX5za5BMGXVLf4/xGQOiwA0J5x+fwhJcSjLm4RvxlH1aWO9 dTATOTQI9nZW/ALDgK7A9PyzDl806PARvowHInyA= Date: Wed, 2 Dec 2020 13:46:56 +0000 To: trustedbsd-discuss@trustedbsd.org From: Protective Supply Plus Reply-To: Protective Supply Plus Subject: Lysol Disinfectant Spray 19 oz. Available 12pk, 48pk Message-ID: <0100017623b4bca2-f68b3a3e-6b9c-4248-8b6d-68024da2cdda-000000@email.amazonses.com> X-Mailer: Sendy (https://sendy.co) X-SES-Outgoing: 2020.12.02-54.240.9.54 Feedback-ID: 1.us-east-1.RTkVlVss2raM7wDWWhOx+0W68/4zoRImF6RxgXPSLsE=:AmazonSES X-Rspamd-Queue-Id: 4CmL5V2qyYz4pJV X-Spamd-Bar: +++++++++++ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=amazonses.com header.s=224i4yxa5dv7c2xz3womw6peuasteono header.b=EZ52BMAX; dmarc=none; spf=fail (mx1.freebsd.org: domain of 0100017623b4bca2-f68b3a3e-6b9c-4248-8b6d-68024da2cdda-000000@amazonses.com does not designate 204.107.128.30 as permitted sender) smtp.mailfrom=0100017623b4bca2-f68b3a3e-6b9c-4248-8b6d-68024da2cdda-000000@amazonses.com X-Spamd-Result: default: False [11.76 / 15.00]; HAS_REPLYTO(0.00)[web@protectivesupplyplus.com]; TO_DN_NONE(0.00)[]; DKIM_TRACE(0.00)[amazonses.com:+]; FORGED_SENDER(0.30)[web@protectivesupplyplus.com,0100017623b4bca2-f68b3a3e-6b9c-4248-8b6d-68024da2cdda-000000@amazonses.com]; RCVD_NO_TLS_LAST(0.10)[]; MIME_TRACE(0.00)[0:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[204.107.128.30:from]; FORGED_RECIPIENTS(2.00)[m:trustedbsd-discuss@trustedbsd.org,s:trustedbsd-discuss@freebsd.org]; ASN(0.00)[asn:11288, ipnet:204.107.128.0/24, country:US]; FROM_NEQ_ENVFROM(0.00)[web@protectivesupplyplus.com,0100017623b4bca2-f68b3a3e-6b9c-4248-8b6d-68024da2cdda-000000@amazonses.com]; ARC_NA(0.00)[]; R_SPF_FAIL(1.00)[-all:c]; R_DKIM_ALLOW(-0.20)[amazonses.com:s=224i4yxa5dv7c2xz3womw6peuasteono]; REPLYTO_EQ_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; NEURAL_SPAM_SHORT(0.87)[0.874]; HTML_SHORT_LINK_IMG_2(1.00)[]; PREVIOUSLY_DELIVERED(0.00)[trustedbsd-discuss@trustedbsd.org]; DMARC_NA(0.00)[protectivesupplyplus.com]; HAS_LIST_UNSUB(-0.01)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[204.107.128.30:from:127.0.2.255]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; VIOLATED_DIRECT_SPF(3.50)[]; FROM_SERVICE_ACCT(1.00)[]; NEURAL_SPAM_LONG(1.00)[1.000]; MIME_HTML_ONLY(0.20)[]; RCVD_COUNT_TWO(0.00)[2]; GREYLIST(0.00)[pass,body]; MAILMAN_DEST(0.00)[trustedbsd-discuss] X-Spam: Yes MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: trustedbsd-discuss@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2020 13:53:02 -0000 From owner-trustedbsd-discuss@freebsd.org Thu Dec 3 09:58:20 2020 Return-Path: Delivered-To: trustedbsd-discuss@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D0DED4A12D4 for ; Thu, 3 Dec 2020 09:58:20 +0000 (UTC) (envelope-from 010001762802c136-43f57f8f-fcb5-455c-bd23-4dd3bbf73fed-000000@amazonses.com) Received: from cyrus.watson.org (cyrus.watson.org [204.107.128.30]) by mx1.freebsd.org (Postfix) with ESMTP id 4CmrrD1sX1z3LHg for ; Thu, 3 Dec 2020 09:58:20 +0000 (UTC) (envelope-from 010001762802c136-43f57f8f-fcb5-455c-bd23-4dd3bbf73fed-000000@amazonses.com) Received: from a9-46.smtp-out.amazonses.com (a9-46.smtp-out.amazonses.com [54.240.9.46]) by cyrus.watson.org (Postfix) with ESMTPS id 67C7756DD7 for ; Thu, 3 Dec 2020 09:50:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1606989037; h=Date:To:From:Reply-To:Subject:Message-ID:List-Unsubscribe:MIME-Version:Content-Type:Feedback-ID; bh=mag2BAOwaSChsVii21GDAvFZxYHfY8wjUteEOotgtlk=; b=EMG8NuW9ff6Y6BVC1HTu1HebP9FhtQvVLKS13WzGmI+J3AgByPQ3agXbxN95IFjF xQVCE59ZyNcWXh1CyVKAc9tWPHseAoRDvNYW0pX4Lnz1KPq+rD5KY645hgDGc8UqtKe GpZWZjjK2yM34hsIBdK6QDu35yOGDkSYmoYwCGUg= Date: Thu, 3 Dec 2020 09:50:37 +0000 To: trustedbsd-discuss@trustedbsd.org From: Protective Supply Plus Reply-To: Protective Supply Plus Subject: Lysol Disinfecting Wipes 80-Count Still Available Message-ID: <010001762802c136-43f57f8f-fcb5-455c-bd23-4dd3bbf73fed-000000@email.amazonses.com> X-Mailer: Sendy (https://sendy.co) X-SES-Outgoing: 2020.12.03-54.240.9.46 Feedback-ID: 1.us-east-1.RTkVlVss2raM7wDWWhOx+0W68/4zoRImF6RxgXPSLsE=:AmazonSES X-Rspamd-Queue-Id: 4CmrrD1sX1z3LHg X-Spamd-Bar: +++++++++++ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=amazonses.com header.s=224i4yxa5dv7c2xz3womw6peuasteono header.b=EMG8NuW9; dmarc=none; spf=fail (mx1.freebsd.org: domain of 010001762802c136-43f57f8f-fcb5-455c-bd23-4dd3bbf73fed-000000@amazonses.com does not designate 204.107.128.30 as permitted sender) smtp.mailfrom=010001762802c136-43f57f8f-fcb5-455c-bd23-4dd3bbf73fed-000000@amazonses.com X-Spamd-Result: default: False [11.19 / 15.00]; HAS_REPLYTO(0.00)[web@protectivesupplyplus.com]; TO_DN_NONE(0.00)[]; DKIM_TRACE(0.00)[amazonses.com:+]; FORGED_SENDER(0.30)[web@protectivesupplyplus.com,010001762802c136-43f57f8f-fcb5-455c-bd23-4dd3bbf73fed-000000@amazonses.com]; RCVD_NO_TLS_LAST(0.10)[]; MIME_TRACE(0.00)[0:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[204.107.128.30:from]; FORGED_RECIPIENTS(2.00)[m:trustedbsd-discuss@trustedbsd.org,s:trustedbsd-discuss@freebsd.org]; ASN(0.00)[asn:11288, ipnet:204.107.128.0/24, country:US]; FROM_NEQ_ENVFROM(0.00)[web@protectivesupplyplus.com,010001762802c136-43f57f8f-fcb5-455c-bd23-4dd3bbf73fed-000000@amazonses.com]; ARC_NA(0.00)[]; R_SPF_FAIL(1.00)[-all:c]; R_DKIM_ALLOW(-0.20)[amazonses.com:s=224i4yxa5dv7c2xz3womw6peuasteono]; REPLYTO_EQ_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; NEURAL_SPAM_SHORT(0.30)[0.305]; HTML_SHORT_LINK_IMG_2(1.00)[]; PREVIOUSLY_DELIVERED(0.00)[trustedbsd-discuss@trustedbsd.org]; DMARC_NA(0.00)[protectivesupplyplus.com]; HAS_LIST_UNSUB(-0.01)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[204.107.128.30:from:127.0.2.255]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; VIOLATED_DIRECT_SPF(3.50)[]; FROM_SERVICE_ACCT(1.00)[]; NEURAL_SPAM_LONG(1.00)[1.000]; MIME_HTML_ONLY(0.20)[]; RCVD_COUNT_TWO(0.00)[2]; GREYLIST(0.00)[pass,body]; MAILMAN_DEST(0.00)[trustedbsd-discuss] X-Spam: Yes MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: trustedbsd-discuss@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2020 09:58:20 -0000 From owner-trustedbsd-discuss@freebsd.org Fri Dec 4 09:53:33 2020 Return-Path: Delivered-To: trustedbsd-discuss@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BEEB3479C0E for ; Fri, 4 Dec 2020 09:53:33 +0000 (UTC) (envelope-from 010001762d271ab1-36fc7ccc-ba52-418f-bf9a-e40de5fbb7c1-000000@amazonses.com) Received: from cyrus.watson.org (cyrus.watson.org [204.107.128.30]) by mx1.freebsd.org (Postfix) with ESMTP id 4CnShF1v1gz4VmQ for ; Fri, 4 Dec 2020 09:53:33 +0000 (UTC) (envelope-from 010001762d271ab1-36fc7ccc-ba52-418f-bf9a-e40de5fbb7c1-000000@amazonses.com) Received: from a9-92.smtp-out.amazonses.com (a9-92.smtp-out.amazonses.com [54.240.9.92]) by cyrus.watson.org (Postfix) with ESMTPS id AD94F8DF83 for ; Fri, 4 Dec 2020 09:48:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1607075306; h=Date:To:From:Reply-To:Subject:Message-ID:List-Unsubscribe:MIME-Version:Content-Type:Feedback-ID; bh=Yh1pwT0caCLHggHm5wXk6XK4P18Qk8KqNODSGdOwqno=; b=AsCQwl6hwVlRFEwhx0H7guWl7ZjOxvEvjcB8bg2DFJWhO+IMIGV34lSsWoxlxeR/ 0YlrDL5zLGAC5UBnNKqxMtNfqjpAXaZRSZPZwFisj5TtAAb7TRCQaznVT+spwrgcWN0 urGq+hCrVCy8/b+nhXysX6ENCYj5TWjt8h5cmDGA= Date: Fri, 4 Dec 2020 09:48:26 +0000 To: trustedbsd-discuss@trustedbsd.org From: Protective Supply Plus Reply-To: Protective Supply Plus Subject: Lysol Disinfecting Wipes 80-Count 12pk, 48pk Message-ID: <010001762d271ab1-36fc7ccc-ba52-418f-bf9a-e40de5fbb7c1-000000@email.amazonses.com> X-Mailer: Sendy (https://sendy.co) X-SES-Outgoing: 2020.12.04-54.240.9.92 Feedback-ID: 1.us-east-1.RTkVlVss2raM7wDWWhOx+0W68/4zoRImF6RxgXPSLsE=:AmazonSES X-Rspamd-Queue-Id: 4CnShF1v1gz4VmQ X-Spamd-Bar: ++++++++++ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=amazonses.com header.s=224i4yxa5dv7c2xz3womw6peuasteono header.b=AsCQwl6h; dmarc=none; spf=fail (mx1.freebsd.org: domain of 010001762d271ab1-36fc7ccc-ba52-418f-bf9a-e40de5fbb7c1-000000@amazonses.com does not designate 204.107.128.30 as permitted sender) smtp.mailfrom=010001762d271ab1-36fc7ccc-ba52-418f-bf9a-e40de5fbb7c1-000000@amazonses.com X-Spamd-Result: default: False [10.91 / 15.00]; HAS_REPLYTO(0.00)[web@protectivesupplyplus.com]; TO_DN_NONE(0.00)[]; DKIM_TRACE(0.00)[amazonses.com:+]; FORGED_SENDER(0.30)[web@protectivesupplyplus.com,010001762d271ab1-36fc7ccc-ba52-418f-bf9a-e40de5fbb7c1-000000@amazonses.com]; RCVD_NO_TLS_LAST(0.10)[]; MIME_TRACE(0.00)[0:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[204.107.128.30:from]; FORGED_RECIPIENTS(2.00)[m:trustedbsd-discuss@trustedbsd.org,s:trustedbsd-discuss@freebsd.org]; ASN(0.00)[asn:11288, ipnet:204.107.128.0/24, country:US]; FROM_NEQ_ENVFROM(0.00)[web@protectivesupplyplus.com,010001762d271ab1-36fc7ccc-ba52-418f-bf9a-e40de5fbb7c1-000000@amazonses.com]; ARC_NA(0.00)[]; R_SPF_FAIL(1.00)[-all:c]; R_DKIM_ALLOW(-0.20)[amazonses.com:s=224i4yxa5dv7c2xz3womw6peuasteono]; REPLYTO_EQ_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; NEURAL_SPAM_SHORT(0.02)[0.018]; HTML_SHORT_LINK_IMG_2(1.00)[]; PREVIOUSLY_DELIVERED(0.00)[trustedbsd-discuss@trustedbsd.org]; DMARC_NA(0.00)[protectivesupplyplus.com]; HAS_LIST_UNSUB(-0.01)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[204.107.128.30:from:127.0.2.255]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; VIOLATED_DIRECT_SPF(3.50)[]; FROM_SERVICE_ACCT(1.00)[]; NEURAL_SPAM_LONG(1.00)[1.000]; MIME_HTML_ONLY(0.20)[]; RCVD_COUNT_TWO(0.00)[2]; GREYLIST(0.00)[pass,body]; MAILMAN_DEST(0.00)[trustedbsd-discuss] X-Spam: Yes MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: trustedbsd-discuss@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2020 09:53:33 -0000