Date: Thu, 8 Nov 2012 10:34:19 GMT From: Anton Yuzhaninov <ayuzhaninov@openstat.ru> To: FreeBSD-gnats-submit@FreeBSD.org Cc: kuriyama@FreeBSD.org Subject: bin/173469: [jail] regression: security.jail.sysvipc_allowed=1 no longer respected Message-ID: <201211081034.qA8AYJiB098286@crw02.mgmt.vega.ru> Resent-Message-ID: <201211081050.qA8Ao1Rs032219@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 173469 >Category: bin >Synopsis: [jail] regression: security.jail.sysvipc_allowed=1 no longer respected >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 08 10:50:00 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Anton Yuzhaninov >Release: FreeBSD 8.3-STABLE-20121101 amd64 >Organization: >Environment: System: FreeBSD crw02.mgmt.vega.ru 8.3-STABLE-20121101 FreeBSD 8.3-STABLE-20121101 #0: Thu Nov 1 00:25:48 UTC 2012 root@aleph.mgmt.vega.ru:/usr/obj/usr/src/sys/MGMT amd64 >Description: After http://svn.freebsd.org/changeset/base/242083 our configuration is broken. Despite sysctl security.jail.sysvipc_allowed=1 jail started with sysvipc disabled. Adding jail_sysvipc_allow="YES" to /etc/rc.conf also don't help. >How-To-Repeat: sysctl security.jail.sysvipc_allowed=1 start jail using /etc/rc.d/jail without additional parameters. jls -n will show allow.nosysvipc >Fix: This problem caused by combination of two different changes: 1. In jail(8) command was implemented 'new mode', with support of name=value parameters. Access to System V IPC is controlled by allow.sysvipc parameter, default to disable (allow.nosysvipc) and this default is don't depend on sysctl security.jail.sysvipc_allowed. With new mode jail(8), sysctl security.jail.sysvipc_allowed seems to be unused. With old mode jail(8) invocation, sysctl security.jail.sysvipc_allowed still can control access to System V IPC from jails. 2. In r242083 /etc/rc.d/jail was switched to new-style and nor sysctl security.jail.sysvipc_allowed nor jail_sysvipc_allow="YES" in /etc/rc.conf affects allow.sysvipc jail parameter. After r242083 it is possible to add jail_example_parameters="allow.sysvipc=1" to rc.conf for single jail, but it is no longer possible to set default for all jails. There is two possible decisions for this problem: 1. Fix jail(8) or jail(2) to respect sysctl security.jail.sysvipc_allowed=1 2. If there is plan to completely remove sysctl security.jail.sysvipc_allowed in future (POLA already has broken after r242083), it is better to change /etc/rc.d/jail to add allow.sysvipc parameter to jail(8) if exist jail_sysvipc_allow="YES" in rc.conf and there is no parameters like jail_example_parameters="allow.nosysvipc=1" or jail_example_parameters="allow.sysvipc=0" to override default. I'm prefer 1st fix. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201211081034.qA8AYJiB098286>