From owner-freebsd-questions@freebsd.org  Fri Feb 15 02:49:24 2019
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8B41F14EBBF1
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Fri, 15 Feb 2019 02:49:24 +0000 (UTC)
 (envelope-from dpchrist@holgerdanske.com)
Received: from holgerdanske.com (holgerdanske.com
 [IPv6:2001:470:0:19b::b869:801b])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "www.holgerdanske.com",
 Issuer "www.holgerdanske.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id C8EED7188E
 for <freebsd-questions@freebsd.org>; Fri, 15 Feb 2019 02:49:23 +0000 (UTC)
 (envelope-from dpchrist@holgerdanske.com)
Received: from 99.100.19.101 ([99.100.19.101]) by holgerdanske.com with ESMTPSA
 (ECDHE-RSA-AES128-GCM-SHA256:TLSv1.2:Kx=ECDH:Au=RSA:Enc=AESGCM(128):Mac=AEAD)
 (SMTP-AUTH username dpchrist@holgerdanske.com, mechanism PLAIN)
 for <freebsd-questions@freebsd.org>; Thu, 14 Feb 2019 18:41:14 -0800
To: freebsd-questions@freebsd.org
From: David Christensen <dpchrist@holgerdanske.com>
Subject: FreeBSD 11.2-RELEASE-p9 jail ping: ssend socket: Operation not
 permitted
Message-ID: <c6ae2a22-0538-2a35-2651-af9be8f6c4aa@holgerdanske.com>
Date: Thu, 14 Feb 2019 18:41:05 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Feb 2019 02:49:24 -0000

freebsd-questions:

I have a FreeBSD machine:

root@beastie:~ # freebsd-version ; uname -a
11.2-RELEASE-p9
FreeBSD beastie 11.2-RELEASE-p9 FreeBSD 11.2-RELEASE-p9 #0: Tue Feb  5 
15:30:36 UTC 2019 
root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64


It has one network interface with one alias:

root@beastie:~ # grep ifconfig /etc/rc.conf
ifconfig_em0="inet 192.168.5.9 netmask 255.255.255.0"
ifconfig_em0_alias0="inet 192.168.5.8 netmask 255.255.255.255"


I have created a jail that I plan to use for Samba:

root@beastie:~ # cat /etc/jail.conf
samba {
     host.hostname="samba.tracy.holgerdanske.com";
     ip4.addr="192.168.5.8";
     path="/jail/samba";
     mount.devfs;
     exec.clean;
     exec.start="sh /etc/rc";
     exec.stop="sh /etc/rc.shutdown";
}


I have copied resolv.conf into the jail:

root@beastie:~ # cat /jail/samba/etc/resolv.conf
search tracy.holgerdanske.com
nameserver 192.168.5.1


I have created rc.conf inside the jail:

root@beastie:~ # cat /jail/samba/etc/rc.conf
defaultrouter="192.168.5.1"
ntpd_enable="YES"
sshd_enable="YES"


I have create a dummy fstab inside the jail:

root@beastie:~ # ll /jail/samba/etc/fstab
-rw-r--r--  1 root  wheel  0 2019/02/14 16:16:13 /jail/samba/etc/fstab


I have enabled jails at host startup:

root@beastie:~ # grep jail /etc/rc.conf
jail_enable="YES"


I have enabled jail raw sockets on both the host and inside the jail:

root@beastie:~ # grep jail /etc/sysctl.conf
security.jail.allow_raw_sockets=1

root@beastie:~ # cat /jail/samba/etc/sysctl.conf | grep -v #
security.jail.allow_raw_sockets=1


When I reboot the host:

root@beastie:~ # shutdown -r now


The jail is running:

root@beastie:~ # service jail status
  JID             IP Address      Hostname                      Path
  samba           192.168.5.8     samba.tracy.holgerdanske.com  /jail/samba


Jail raw sockets are enabled on the host:

root@beastie:~ # sysctl security.jail.allow_raw_sockets
security.jail.allow_raw_sockets: 1


But they are disabled in the jail:

root@samba:/ # sysctl security.jail.allow_raw_sockets
security.jail.allow_raw_sockets: 0


The jail network interfaces look good:

root@samba:/ # ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
	ether 54:bf:64:72:38:db
	hwaddr 54:bf:64:72:38:db
	inet 192.168.5.8 netmask 0xffffffff broadcast 192.168.5.8
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	groups: lo


But the jail cannot ping itself, the host, or any other host:

root@beastie:~ # jexec samba /bin/csh -l

root@samba:/ # ping localhost
ping: ssend socket: Operation not permitted

root@samba:/ # ping 192.168.5.9
ping: ssend socket: Operation not permitted

root@samba:/ # ping 192.168.5.1
ping: ssend socket: Operation not permitted


Suggestions?


David