From owner-freebsd-stable@freebsd.org  Mon Dec 12 19:38:27 2016
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 61344C74351
 for <freebsd-stable@mailman.ysv.freebsd.org>;
 Mon, 12 Dec 2016 19:38:27 +0000 (UTC) (envelope-from me@cschwarz.com)
Received: from orion.uberspace.de (orion.uberspace.de [95.143.172.79])
 (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id B3EB73F9
 for <freebsd-stable@freebsd.org>; Mon, 12 Dec 2016 19:38:26 +0000 (UTC)
 (envelope-from me@cschwarz.com)
Received: (qmail 19861 invoked from network); 12 Dec 2016 19:38:19 -0000
Received: from localhost (HELO csarch.local) (127.0.0.1)
 by orion.uberspace.de with SMTP; 12 Dec 2016 19:38:19 -0000
Received: by csarch.local (Postfix, from userid 1000)
 id 9E79339904C; Mon, 12 Dec 2016 20:38:17 +0100 (CET)
Date: Mon, 12 Dec 2016 20:38:17 +0100
From: Christian Schwarz <me@cschwarz.com>
To: Mark Martinec <Mark.Martinec+freebsd@ijs.si>
Cc: freebsd-stable@freebsd.org
Subject: Re: Is System V IPC namespace still shared across jails?
Message-ID: <20161212193817.hjax5jo5leb7ryjr@csarch.Speedport_W_724V_01011603_00_008>
References: <bd0104e960902c42acef95555c0fc37f@ijs.si>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <bd0104e960902c42acef95555c0fc37f@ijs.si>
User-Agent: NeoMutt/20161126 (1.7.1)
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Dec 2016 19:38:27 -0000

With the new jail parameters, new namespaces for SysV IPC are possible
on FreeBSD 11.

For those ezjail users, add something like this to the jail's config
after creating it using 'ezjail-admin create':

 export jail_postgres_parameters="sysvmsg=new sysvsem=new sysvshm=new"

Cheers,

  Christian

---

man 8 jail

>  ...
>
>  allow.sysvipc
>       A process within the jail has access to System V IPC
>       primitives.  This is deprecated in favor of the per-
>       module parameters (see below).  When this parameter is
>       set, it is equivalent to setting sysvmsg, sysvsem, and
>       sysvshm all to ``inherit''.
>
>  ...
>
>    sysvmsg
>       Allow access to SYSV IPC message primitives.  If set to
>       ``inherit'', all IPC objects on the system are visible to this
>       jail, whether they were created by the jail itself, the base
>       system, or other jails.  If set to ``new'', the jail will have
>       its own key namespace, and can only see the objects that it has
>       created; the system (or parent jail) has access to the jail's
>       objects, but not to its keys.  If set to ``disable'', the jail
>       cannot perform any sysvmsg-related system calls.
>
>     sysvsem, sysvshm
>       Allow access to SYSV IPC semaphore and shared memory primitives,
>       in the same manner as sysvmsg.
>
>  ...