From nobody Fri Nov 12 14:16:24 2021 X-Original-To: jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 878F6185E2AB for ; Fri, 12 Nov 2021 14:16:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HrLHD3Gtyz3n37 for ; Fri, 12 Nov 2021 14:16:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 511AF20B50 for ; Fri, 12 Nov 2021 14:16:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 1ACEGOZg049313 for ; Fri, 12 Nov 2021 14:16:24 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 1ACEGOCZ049312 for jail@FreeBSD.org; Fri, 12 Nov 2021 14:16:24 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: jail@FreeBSD.org Subject: [Bug 259770] ggate: jail(2) failure error: Unable to jail process in directory /var/empty after stable/12 src ca9ab8ea1774 Date: Fri, 12 Nov 2021 14:16:24 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: Unspecified X-Bugzilla-Keywords: needs-qa, regression X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: fk@fabiankeil.de X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D259770 --- Comment #5 from Fabian Keil --- Thanks a lot for your thoughts. Actually only the forked connection handler(s) go to jail and change the ui= d: [fk@elektrobier ps waux | grep [g]gated root 13676 0.0 0.1 12232 2296 - Ss 14:55 0:00.00 ggated -a 127.0.1.6 ggated 13743 0.0 0.1 17600 3068 - SCJ 14:55 0:00.02 ggated -a 127.0.1.6 [fk@elektrobier ~]$ sudo procstat -f $(pgrep ggated) PID COMM FD T V FLAGS REF OFFSET PRO NAME=20=20=20=20= =20=20=20=20 13743 ggated text v r r------- - - - /sbin/ggated=20= =20=20=20=20=20 13743 ggated cwd v d r------- - - - /var/empty=20=20= =20=20=20=20=20=20 13743 ggated root v d r------- - - - /var/empty=20=20= =20=20=20=20=20=20 13743 ggated jail v d r------- - - - /var/empty=20=20= =20=20=20=20=20=20 13743 ggated 0 v c rw------ 6 0 - /dev/null=20=20= =20=20=20=20=20=20=20 13743 ggated 1 v c rw------ 6 0 - /dev/null=20=20= =20=20=20=20=20=20=20 13743 ggated 2 v c rw------ 6 0 - /dev/null=20=20= =20=20=20=20=20=20=20 13743 ggated 3 v d r----n-- 2 0 - /var/run=20=20=20= =20=20=20=20=20=20=20 13743 ggated 4 s - rw------ 2 0 UDD /var/run/logpriv 13743 ggated 5 v r -w---n-l 2 0 - /var/run/ggated.p= id 13743 ggated 6 s - rw------ 3 0 TCP 0 0 127.0.1.6:3080 0.0.0.0:0 13743 ggated 7 s - rw------ 1 0 TCP 0 0 127.0.1.6:3080 127.0.1.6:37026 13743 ggated 8 v c rw------ 1 0 -=20=20 /dev/zvol/dpool/ggated/t520.eli 13743 ggated 9 s - rw------ 2 0 TCP 0 0 127.0.1.6:3080 127.0.1.6:40360 13676 ggated text v r r------- - - - /sbin/ggated=20= =20=20=20=20=20 13676 ggated cwd v d r------- - - - /=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20 13676 ggated root v d r------- - - - /=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20 13676 ggated 0 v c rw------ 6 0 - /dev/null=20=20= =20=20=20=20=20=20=20 13676 ggated 1 v c rw------ 6 0 - /dev/null=20=20= =20=20=20=20=20=20=20 13676 ggated 2 v c rw------ 6 0 - /dev/null=20=20= =20=20=20=20=20=20=20 13676 ggated 3 v d r----n-- 2 0 - /var/run=20=20=20= =20=20=20=20=20=20=20 13676 ggated 4 s - rw------ 2 0 UDD /var/run/logpriv 13676 ggated 5 v r -w---n-l 2 0 - /var/run/ggated.p= id 13676 ggated 6 s - rw------ 3 0 TCP 0 0 127.0.1.6:3080 0.0.0.0:0 13676 ggated 7 ? - -------- 2 0 - -=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20 I wrote the code years ago and did not remember this. Looking at the procstat output more closely I realize that there is no reason why the forked process has to keep the pid file open at all. It contains the pid of the parent and the forked process does not actually have to unlink it either. Without the pid file open, jail(2) should succeed. The forked process probably does not need access to fd 6 either. Oops .... While I still think it could be useful to be able to jail a process with a pid file located outside of the jail I guess it's not required in this case and I should simply fix/improve my code. I'll look into this over the next couple of days and get back to you. --=20 You are receiving this mail because: You are on the CC list for the bug.=