From owner-freebsd-questions@FreeBSD.ORG Sat Sep 13 17:31:12 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6D86E1065671 for ; Sat, 13 Sep 2008 17:31:12 +0000 (UTC) (envelope-from tobias.rehbein@web.de) Received: from fmmailgate01.web.de (fmmailgate01.web.de [217.72.192.221]) by mx1.freebsd.org (Postfix) with ESMTP id D1ACF8FC0A for ; Sat, 13 Sep 2008 17:31:11 +0000 (UTC) (envelope-from tobias.rehbein@web.de) Received: from smtp06.web.de (fmsmtp06.dlan.cinetic.de [172.20.5.172]) by fmmailgate01.web.de (Postfix) with ESMTP id 67B57EFCA3AA for ; Sat, 13 Sep 2008 19:31:10 +0200 (CEST) Received: from [88.134.73.55] (helo=sushi.pseudo.local) by smtp06.web.de with asmtp (TLSv1:AES256-SHA:256) (WEB.DE 4.109 #226) id 1KeYxi-0002jN-00 for freebsd-questions@freebsd.org; Sat, 13 Sep 2008 19:31:10 +0200 Received: from sushi.pseudo.local (localhost [127.0.0.1]) by sushi.pseudo.local (8.14.3/8.14.3) with ESMTP id m8DHV2F6088072 for ; Sat, 13 Sep 2008 19:31:02 +0200 (CEST) (envelope-from tobi@sushi.pseudo.local) Received: (from tobi@localhost) by sushi.pseudo.local (8.14.3/8.14.3/Submit) id m8DHV2oD088071 for freebsd-questions@freebsd.org; Sat, 13 Sep 2008 19:31:02 +0200 (CEST) (envelope-from tobi) Date: Sat, 13 Sep 2008 19:31:02 +0200 From: Tobias Rehbein To: freebsd-questions@freebsd.org Message-ID: <20080913173102.GA84554@sushi.pseudo.local> Mail-Followup-To: freebsd-questions@freebsd.org References: <20080911174721.GA10261@sushi.pseudo.local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080911174721.GA10261@sushi.pseudo.local> User-Agent: Mutt/1.4.2.3i Sender: tobias.rehbein@web.de X-Sender: tobias.rehbein@web.de X-Provags-ID: V01U2FsdGVkX1+HXUnzBxfBxf1z23dsrno7aLClez3Vf3Lqx1cj 9OkVUoibE8jGo3MTR4cWoyMVpTus5efp7gcJvYHjg/F3v1RIms uvvMP2gJd6kM0nz65R9A== Subject: Re: Jailing net/skype X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2008 17:31:12 -0000 Am Thu, Sep 11, 2008 at 07:47:21PM +0200 schrieb Tobias Rehbein: > I have net/skype installed on my workstation and it just works fine. Now I > wonder if it's possible to run skype in a jail. > > Before I start investing time in this I would like to know if someone has > done it before or if it would be just a waste of time. Hello all. As nobody seems to have experience with this I decided to set up a simple jail to test this. Unfortunately skype keeps dumping core when I'm trying to start it. Perhaps someone has a hint for me how to deal with this. I tried to set up a jail as unrestrictve as possible. My goal was to get whole thing running and lock down the jail later. #uname -a FreeBSD sushi.pseudo.local 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #17: Thu Sep 11 19:04:40 CEST 2008 tobi@sushi.pseudo.local:/usr/obj/usr/src/sys/SUSHI i386 #sysctl security.jail. security.jail.jailed: 1 security.jail.mount_allowed: 0 security.jail.chflags_allowed: 0 security.jail.allow_raw_sockets: 1 security.jail.enforce_statfs: 2 security.jail.sysvipc_allowed: 1 security.jail.socket_unixiproute_only: 0 security.jail.set_hostname_allowed: 1 #sysctl compat.linux compat.linux.oss_version: 198144 compat.linux.osrelease: 2.6.16 compat.linux.osname: Linux #pkg_info | grep linux_base linux_base-fc6-6_5 Base set of packages needed in Linux mode (for i386/amd64) #grep LINUX /etc/make.conf OVERRIDE_LINUX_BASE_PORT=fc6 devfs is mounted and I use the same ruleset as in the host system. #kdump -f ktrace.out | head 84180 skype CALL access(0x292b2b61,R_OK) 84180 skype NAMI "/compat/linux/etc/ld.so.preload" 84180 skype NAMI "/etc/ld.so.preload" 84180 skype RET access JUSTRETURN 84180 skype CALL open(0x292b2d49,O_RDONLY,0) 84180 skype NAMI "/compat/linux/etc/ld.so.cache" 84180 skype NAMI "/compat/linux" 84180 skype NAMI "/compat/linux/etc/ld.so.cache" 84180 skype RET open 3 84180 skype CALL freebsd6_mmap(0x3,0xbfbfe324,690704336,MAP_SHARED|MAP_PRIVATE|MAP_RENAME|MAP_NORESERVE|MAP_HASSEMAPHORE|MAP_STACK|MAP_NOSYNC,0x2e6f732e,0x68636163,0x646165,0,0,0,0,0,0,0,0,0,... (lots of '0,'s) The funny thing is kdump itself coredumps when dumping the whole thing out (I guess that has something todo with this endless '...0,0,0,0,0...' sequence). Last but not least my kernel config: cpu I686_CPU ident SUSHI options SCHED_ULE # ULE scheduler options PREEMPTION # Enable kernel thread preemption options INET # InterNETworking options INET6 # IPv6 communications protocols options SCTP # Stream Control Transmission Protocol options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support options UFS_DIRHASH # Improve performance on big directories options MSDOSFS # MSDOS Filesystem options CD9660 # ISO 9660 Filesystem options PSEUDOFS # Pseudo-filesystem framework options GEOM_LABEL # Provides labelization options COMPAT_43TTY # BSD 4.3 TTY compat [KEEP THIS!] options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI options KTRACE # ktrace(1) support options STACK # stack(9) support options SYSVSHM # SYSV-style shared memory options SYSVMSG # SYSV-style message queues options SYSVSEM # SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options KBD_INSTALL_CDEV # install a CDEV entry in /dev options ADAPTIVE_GIANT # Giant mutex is adaptive. options STOP_NMI # Stop CPUS using NMI instead of IPI options SMP # Symmetric MultiProcessor Kernel device apic # I/O APIC device cpufreq device eisa device pci device ata device atadisk # ATA disk drives device atapicd # ATAPI CDROM drives options ATA_STATIC_ID # Static device numbering options AHC_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~128k to driver. options AHD_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~215k to driver. device scbus # SCSI bus (required for SCSI) device da # Direct Access (disks) device cd # CD device pass # Passthrough device (direct SCSI access) device atkbdc # AT keyboard controller device atkbd # AT keyboard device psm # PS/2 mouse device vga # VGA video card driver device splash # Splash screen and screen saver support device sc device agp # support several AGP chipsets device sio # 8250, 16[45]50 based serial ports device ppc device ppbus # Parallel port bus (required) device miibus # MII bus support device re # RealTek 8139C+/8169/8169S/8110S device wlan # 802.11 support device wlan_wep # 802.11 WEP support device wlan_ccmp # 802.11 CCMP support device wlan_tkip # 802.11 TKIP support device wlan_amrr # AMRR transmit rate control algorithm device wlan_scan_ap # 802.11 AP mode scanning device wlan_scan_sta # 802.11 STA mode scanning device loop # Network loopback device random # Entropy device device ether # Ethernet support device pty # Pseudo-ttys (telnet etc) device md # Memory "disks" device firmware # firmware assist module device bpf # Berkeley packet filter device uhci # UHCI PCI->USB interface device ehci # EHCI PCI->USB interface (USB 2.0) device usb # USB Bus (required) device umass # Disks/Mass storage - Requires scbus and da device ums # Mouse device firewire # FireWire bus code device sbp # SCSI over FireWire (Requires scbus and da) device atapicam device sound device snd_hda device wpi device drm device radeondrm options NULLFS options ATKBD_DFLT_KEYMAP makeoptions ATKBD_DFLT_KEYMAP=german.iso.acc options IPFIREWALL options IPDIVERT options COMPAT_LINUX Any help would be appreciated. Regards Tobias -- Tobias Rehbein PGP key: 4F2AE314 server: keys.gnupg.net fingerprint: ECDA F300 1B6E 9B87 8524 8663 E8B6 3138 4F2A E314