From nobody Sat Sep 16 02:21:23 2023 X-Original-To: jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RnZYb6GvFz4tTf9 for ; Sat, 16 Sep 2023 02:21:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RnZYb3Bbxz4FKb for ; Sat, 16 Sep 2023 02:21:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1694830883; a=rsa-sha256; cv=none; b=WXctqfjX6uOEFT4F0WYXzmZdGnOrXQ6MeM0IRgEkNFYGxCiYu/a75+ZyZu3cmuSYEPha6T IY95khA9oG4VMYVgv+Gc6b6wq/GZMvHVg3HLVcfddJMpxcQ0tQxVjHlAyFchkXY1TOtjpI pp+yCcCnuwB5KwRSgLl839cgfJelmA3S5AXQOBAA/0b8BMCbSfGp0pcA+5m9Zrl/BLZrAD 3keS4dI47KAEVD9uBUYhyvZ6NO9xotN4z3tqQ5danapBipPBU7ZozjXatfxDdO9qh6nmnv GfwYyxETk3PdE1RSc5ftMFYiWdDgYJYR+nPYm/dwI/IqfZnfghbx4K3NcwHlSw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694830883; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7VYzJsNE3Frb8jo+C6+Uis6KBrxtKZsF+qX50nqIaGA=; b=nEOsJNupRlaC7fOyKnRo6ioFHAM6DUmA01D6FTcROis5+gIq34SUtkckdeI922FsmZDOqy vZP51dtV573083rDjpeCp8E6kHYioV/eCNsyIM9uHTDjZsSZNTwS2h+GQaXChWyPl1Bju1 e+L7u8r6Ttqy1iytfT07Jnnx5TxPJh2pmWUFkFiuBUdB6aaUxst7Ed6Kvlo/hMJY6ewxOX rOXLNjYCVhFhpw8G2Hg/JJfw0gZWhbJDhPfcbbYprTESeW4cbbCk1z+JqFq3kGAgT2EFz0 wRBlkRs4/I0VkL+2XLEolPYR8eGXtxIoZ6PE8EVUki89UxTXcjAizyTTrfypJA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RnZYb2BMGzp5H for ; Sat, 16 Sep 2023 02:21:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 38G2LNE5005227 for ; Sat, 16 Sep 2023 02:21:23 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 38G2LNKF005226 for jail@FreeBSD.org; Sat, 16 Sep 2023 02:21:23 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: jail@FreeBSD.org Subject: [Bug 259149] mac_portacl not in affect when running VNET jail Date: Sat, 16 Sep 2023 02:21:23 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: zlei@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: jail@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D259149 Zhenlei Huang changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |zlei@FreeBSD.org --- Comment #4 from Zhenlei Huang --- (In reply to Thomas Hurst from comment #3) > Investigating this finds 'net.inet.ip.portrange.reservedhigh=3D1023' with= in a > vnet jail, so mac_portacl doesn't get a chance to do anything. The sysctl variable `net.inet.ip.portrange.reservedhigh` is a per-vnet one.= So it is default to 1023 for vnet jail. That is expected. ``` /* * Reserved ports accessible only to root. There are significant * security considerations that must be accounted for when changing these, * but the security benefits can be great. Please be careful. */ VNET_DEFINE(int, ipport_reservedhigh) =3D IPPORT_RESERVED - 1; /* 1023 */ VNET_DEFINE(int, ipport_reservedlow); SYSCTL_INT(_net_inet_ip_portrange, OID_AUTO, reservedhigh, CTLFLAG_VNET | CTLFLAG_RW | CTLFLAG_SECURE, &VNET_NAME(ipport_reservedhigh), 0, ""); ``` > As on the host this needs to be set to 0 to allow mac_portacl to operate, > though to change this I had to drop the initial jail securelevel. Tree indeed. --=20 You are receiving this mail because: You are the assignee for the bug.=