From owner-freebsd-bugs@FreeBSD.ORG  Thu Nov  8 10:50:01 2012
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 58425E68
 for <freebsd-bugs@hub.freebsd.org>; Thu,  8 Nov 2012 10:50:01 +0000 (UTC)
 (envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id 28A1D8FC0A
 for <freebsd-bugs@hub.freebsd.org>; Thu,  8 Nov 2012 10:50:01 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id qA8Ao1NM032220
 for <freebsd-bugs@freefall.freebsd.org>; Thu, 8 Nov 2012 10:50:01 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.5/8.14.5/Submit) id qA8Ao1Rs032219;
 Thu, 8 Nov 2012 10:50:01 GMT (envelope-from gnats)
Resent-Date: Thu, 8 Nov 2012 10:50:01 GMT
Resent-Message-Id: <201211081050.qA8Ao1Rs032219@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
 Anton Yuzhaninov <ayuzhaninov@openstat.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 1F504B13;
 Thu,  8 Nov 2012 10:43:29 +0000 (UTC)
 (envelope-from ayuzhaninov@openstat.ru)
Received: from mail.openstat.ru (mail.openstat.ru [193.169.234.252])
 by mx1.freebsd.org (Postfix) with ESMTP id BA9658FC16;
 Thu,  8 Nov 2012 10:43:27 +0000 (UTC)
Received: from crawler02.prod.vega.ru ([10.25.1.5] helo=crw02.mgmt.vega.ru)
 by mail.openstat.ru with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
 (Exim 4.80.1 (FreeBSD)) (envelope-from <ayuzhaninov@openstat.ru>)
 id 1TWPRD-0004pG-Mv; Thu, 08 Nov 2012 14:34:19 +0400
Received: from crw02.mgmt.vega.ru (localhost [127.0.0.1])
 by crw02.mgmt.vega.ru (8.14.5/8.14.5) with ESMTP id qA8AYJe4098287;
 Thu, 8 Nov 2012 10:34:19 GMT (envelope-from ayuzhaninov@openstat.ru)
Received: (from ayuzhaninov@localhost)
 by crw02.mgmt.vega.ru (8.14.5/8.14.5/Submit) id qA8AYJiB098286;
 Thu, 8 Nov 2012 10:34:19 GMT (envelope-from ayuzhaninov@openstat.ru)
Message-Id: <201211081034.qA8AYJiB098286@crw02.mgmt.vega.ru>
Date: Thu, 8 Nov 2012 10:34:19 GMT
From: Anton Yuzhaninov <ayuzhaninov@openstat.ru>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.114
Subject: bin/173469: [jail] regression: security.jail.sysvipc_allowed=1 no
 longer respected
Cc: kuriyama@FreeBSD.org
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2012 10:50:01 -0000


>Number:         173469
>Category:       bin
>Synopsis:       [jail] regression: security.jail.sysvipc_allowed=1 no longer respected
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 08 10:50:00 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Anton Yuzhaninov
>Release:        FreeBSD 8.3-STABLE-20121101 amd64
>Organization:
>Environment:
System: FreeBSD crw02.mgmt.vega.ru 8.3-STABLE-20121101 FreeBSD 8.3-STABLE-20121101 #0: Thu Nov 1 00:25:48 UTC 2012 root@aleph.mgmt.vega.ru:/usr/obj/usr/src/sys/MGMT amd64

>Description:
After http://svn.freebsd.org/changeset/base/242083 our configuration is broken.
Despite sysctl security.jail.sysvipc_allowed=1 jail started with sysvipc disabled.

Adding jail_sysvipc_allow="YES" to /etc/rc.conf also don't help.

>How-To-Repeat:

sysctl security.jail.sysvipc_allowed=1

start jail using /etc/rc.d/jail without additional parameters.

jls -n will show
allow.nosysvipc

>Fix:

This problem caused by combination of two different changes:

1. In jail(8) command was implemented 'new mode', with support of name=value parameters.

Access to System V IPC is controlled by allow.sysvipc parameter, default to disable (allow.nosysvipc)
and this default is don't depend on sysctl security.jail.sysvipc_allowed.

With new mode jail(8), sysctl security.jail.sysvipc_allowed seems to be unused.

With old mode jail(8) invocation, sysctl security.jail.sysvipc_allowed still
can control access to System V IPC from jails.

2. In r242083 /etc/rc.d/jail was switched to new-style and nor sysctl security.jail.sysvipc_allowed nor
jail_sysvipc_allow="YES" in /etc/rc.conf affects allow.sysvipc jail parameter.

After r242083 it is possible to add jail_example_parameters="allow.sysvipc=1" to rc.conf for single jail,
but it is no longer possible to set default for all jails.

There is two possible decisions for this problem:

1. Fix jail(8) or jail(2) to respect sysctl security.jail.sysvipc_allowed=1

2. If there is plan to completely remove sysctl security.jail.sysvipc_allowed in future (POLA already has broken after r242083),
it is better to change /etc/rc.d/jail to add allow.sysvipc parameter to jail(8) if exist jail_sysvipc_allow="YES" in rc.conf
and there is no parameters like jail_example_parameters="allow.nosysvipc=1" or jail_example_parameters="allow.sysvipc=0" to
override default.

I'm prefer 1st fix.
>Release-Note:
>Audit-Trail:
>Unformatted: