From owner-freebsd-questions@freebsd.org  Thu Dec 24 16:52:39 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9CC594CAB2E
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Thu, 24 Dec 2020 16:52:39 +0000 (UTC)
 (envelope-from ihor@antonovs.family)
Received: from mail.antonovs.family (mail.antonovs.family [100.25.240.195])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "mail.antonovs.family",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4D1x2b10WBz4mHy
 for <freebsd-questions@freebsd.org>; Thu, 24 Dec 2020 16:52:38 +0000 (UTC)
 (envelope-from ihor@antonovs.family)
Received: by mail.antonovs.family (OpenSMTPD) with ESMTPSA id da324b95
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO)
 for <freebsd-questions@freebsd.org>;
 Thu, 24 Dec 2020 16:52:36 +0000 (UTC)
Subject: Re: Network namespaces in FreeBSD
To: freebsd-questions@freebsd.org
References: <SG2PR01MB2443D481AC24AF7207218E0EF1DE0.ref@SG2PR01MB2443.apcprd01.prod.exchangelabs.com>
 <SG2PR01MB2443D481AC24AF7207218E0EF1DE0@SG2PR01MB2443.apcprd01.prod.exchangelabs.com>
 <20201223182227.da6c11d3604eb07bb4f18ce5@sohara.org>
 <A577602D-C1A9-4B6E-822E-03641A4070A0@FreeBSD.org>
 <2581038e-fa0f-231d-ae33-1b42d50c8600@antonovs.family>
 <e59209c3-af09-68e9-c78d-ddf70909f354@qeng-ho.org>
 <25fbf315-7aec-853c-cf69-a805805bd06e@antonovs.family>
 <9a80d70b-3f37-09ac-825f-c87e2c3e4925@qeng-ho.org>
From: Ihor Antonov <ihor@antonovs.family>
Message-ID: <5d38e65e-98e2-4c27-7ccb-37be93f868df@antonovs.family>
Date: Thu, 24 Dec 2020 08:51:27 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <9a80d70b-3f37-09ac-825f-c87e2c3e4925@qeng-ho.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4D1x2b10WBz4mHy
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org; dkim=none;
 dmarc=pass (policy=none) header.from=antonovs.family;
 spf=pass (mx1.freebsd.org: domain of ihor@antonovs.family designates
 100.25.240.195 as permitted sender) smtp.mailfrom=ihor@antonovs.family
X-Spamd-Result: default: False [-3.80 / 15.00]; RCVD_TLS_ALL(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[];
 FROM_HAS_DN(0.00)[];
 RBL_DBL_DONT_QUERY_IPS(0.00)[100.25.240.195:from];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx];
 MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
 RCPT_COUNT_ONE(0.00)[1];
 SPAMHAUS_ZRD(0.00)[100.25.240.195:from:127.0.2.255];
 ARC_NA(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000];
 DMARC_POLICY_ALLOW(-0.50)[antonovs.family,none];
 NEURAL_HAM_SHORT(-1.00)[-1.000];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:14618, ipnet:100.24.0.0/13, country:US];
 RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Dec 2020 16:52:39 -0000

On 12/24/20 8:22 AM, Arthur Chance wrote:
>>> Wouldn't a VNET jail rooted at / effectively be that?
>>>
>>
>> Last time I played with jails setting jail's root to '/' was not allowed
>> for some reason. I don't remember exact error message though.
> 
> I think that must have changed. Using a jail rooted at / used to be the
> recommended way of preventing rpcbind's wildcard listen from being a
> security loophole.

You have inspired in me a desire to play again

> I do remember that you can't nullfs mount / under itself.
> 
>> I remember that I ended up null-mounting every directory in / (like bin,
>> sbin, etc,) to jail's root directory, and that was quite painful to do
>> manually.
> 
> I'm increasingly thinking that the file system layout needs a rethink to
> be able to handle jails and minimal app style devices like firewalls.
> Sadly inertia (and standards) will prevent that from happening.

Yes, there are some pain points with Jails, especially if we try to 
simulate some nice features from Linux world. Here are some of my pain 
points:

- we can't null-mount a single file (useful to inject configs or 
sockets; linux has mount --bind for that)
- combining with jail's root on / it would be nice to be able to make 
some parts of the tree read-only for the jail (or even hide them)

Fixing things like these would make it a lot easier and attractive to 
build container orchestration systems on FreeBSD, or get better security 
to run applications that need root.

But I think it is not too much, it can be fixed. I feel that dynamics of 
FreeBSD development is shifting a bit lately, so I stay hopeful.
I'd say that we need to collect all the use-cases where people feel pain 
using jails and write it down somewhere on wiki. It would be a nice 
starting point.


Ihor