Date: Fri, 15 Feb 2019 08:16:36 +0000 From: Arthur Chance <freebsd@qeng-ho.org> To: David Christensen <dpchrist@holgerdanske.com>, freebsd-questions@freebsd.org Subject: Re: FreeBSD 11.2-RELEASE-p9 jail ping: ssend socket: Operation not permitted Message-ID: <7950becf-03af-8fa3-f143-dece2f250440@qeng-ho.org> In-Reply-To: <c6ae2a22-0538-2a35-2651-af9be8f6c4aa@holgerdanske.com> References: <c6ae2a22-0538-2a35-2651-af9be8f6c4aa@holgerdanske.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 15/02/2019 02:41, David Christensen wrote:
> freebsd-questions:
>
> I have a FreeBSD machine:
>
> root@beastie:~ # freebsd-version ; uname -a
> 11.2-RELEASE-p9
> FreeBSD beastie 11.2-RELEASE-p9 FreeBSD 11.2-RELEASE-p9 #0: Tue Feb 5
> 15:30:36 UTC 2019
> root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
>
>
> It has one network interface with one alias:
>
> root@beastie:~ # grep ifconfig /etc/rc.conf
> ifconfig_em0="inet 192.168.5.9 netmask 255.255.255.0"
> ifconfig_em0_alias0="inet 192.168.5.8 netmask 255.255.255.255"
>
>
> I have created a jail that I plan to use for Samba:
>
> root@beastie:~ # cat /etc/jail.conf
> samba {
> host.hostname="samba.tracy.holgerdanske.com";
> ip4.addr="192.168.5.8";
> path="/jail/samba";
> mount.devfs;
> exec.clean;
> exec.start="sh /etc/rc";
> exec.stop="sh /etc/rc.shutdown";
> }
>
>
> I have copied resolv.conf into the jail:
>
> root@beastie:~ # cat /jail/samba/etc/resolv.conf
> search tracy.holgerdanske.com
> nameserver 192.168.5.1
>
>
> I have created rc.conf inside the jail:
>
> root@beastie:~ # cat /jail/samba/etc/rc.conf
> defaultrouter="192.168.5.1"
> ntpd_enable="YES"
> sshd_enable="YES"
>
>
> I have create a dummy fstab inside the jail:
>
> root@beastie:~ # ll /jail/samba/etc/fstab
> -rw-r--r-- 1 root wheel 0 2019/02/14 16:16:13 /jail/samba/etc/fstab
>
>
> I have enabled jails at host startup:
>
> root@beastie:~ # grep jail /etc/rc.conf
> jail_enable="YES"
>
>
> I have enabled jail raw sockets on both the host and inside the jail:
>
> root@beastie:~ # grep jail /etc/sysctl.conf
> security.jail.allow_raw_sockets=1
>
> root@beastie:~ # cat /jail/samba/etc/sysctl.conf | grep -v #
> security.jail.allow_raw_sockets=1
>
>
> When I reboot the host:
>
> root@beastie:~ # shutdown -r now
>
>
> The jail is running:
>
> root@beastie:~ # service jail status
> JID IP Address Hostname Path
> samba 192.168.5.8 samba.tracy.holgerdanske.com /jail/samba
>
>
> Jail raw sockets are enabled on the host:
>
> root@beastie:~ # sysctl security.jail.allow_raw_sockets
> security.jail.allow_raw_sockets: 1
>
>
> But they are disabled in the jail:
>
> root@samba:/ # sysctl security.jail.allow_raw_sockets
> security.jail.allow_raw_sockets: 0
>
>
> The jail network interfaces look good:
>
> root@samba:/ # ifconfig
> em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
>
> ether 54:bf:64:72:38:db
> hwaddr 54:bf:64:72:38:db
> inet 192.168.5.8 netmask 0xffffffff broadcast 192.168.5.8
> media: Ethernet autoselect (1000baseT <full-duplex>)
> status: active
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
> groups: lo
>
>
> But the jail cannot ping itself, the host, or any other host:
>
> root@beastie:~ # jexec samba /bin/csh -l
>
> root@samba:/ # ping localhost
> ping: ssend socket: Operation not permitted
>
> root@samba:/ # ping 192.168.5.9
> ping: ssend socket: Operation not permitted
>
> root@samba:/ # ping 192.168.5.1
> ping: ssend socket: Operation not permitted
>
>
> Suggestions?
>
Read the manual entry for jail(8). Specifically this bit
allow.raw_sockets
The jail root is allowed to create raw sockets. Setting
this parameter allows utilities like ping(8) and
traceroute(8) to operate inside the jail. If this is
set, the source IP addresses are enforced to comply with
the IP address bound to the jail, regardless of whether
or not the IP_HDRINCL flag has been set on the socket.
Since raw sockets can be used to configure and interact
with various network subsystems, extra caution should be
used where privileged access to jails is given out to
untrusted parties.
--
Always learn from the mistakes of others, because you won't live long
enough to learn from making all possible mistakes yourself.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7950becf-03af-8fa3-f143-dece2f250440>