From owner-freebsd-jail@freebsd.org  Mon Feb 11 17:24:02 2019
Return-Path: <owner-freebsd-jail@freebsd.org>
Delivered-To: freebsd-jail@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B806614DE256
 for <freebsd-jail@mailman.ysv.freebsd.org>;
 Mon, 11 Feb 2019 17:24:02 +0000 (UTC)
 (envelope-from jamie@freebsd.org)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 3E92B80B25
 for <freebsd-jail@freebsd.org>; Mon, 11 Feb 2019 17:24:02 +0000 (UTC)
 (envelope-from jamie@freebsd.org)
Received: by mailman.ysv.freebsd.org (Postfix)
 id EC31E14DE253; Mon, 11 Feb 2019 17:24:01 +0000 (UTC)
Delivered-To: jail@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D9B6C14DE252
 for <jail@mailman.ysv.freebsd.org>; Mon, 11 Feb 2019 17:24:01 +0000 (UTC)
 (envelope-from jamie@freebsd.org)
Received: from gritton.org (gritton.org [199.192.165.131])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 6F99D80B23
 for <jail@freebsd.org>; Mon, 11 Feb 2019 17:24:01 +0000 (UTC)
 (envelope-from jamie@freebsd.org)
Received: from gritton.org ([127.0.0.131])
 by gritton.org (8.15.2/8.15.2) with ESMTP id x1BHNsG7092737;
 Mon, 11 Feb 2019 10:23:54 -0700 (MST)
 (envelope-from jamie@freebsd.org)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Date: Mon, 11 Feb 2019 10:23:54 -0700
From: James Gritton <jamie@freebsd.org>
To: jail@freebsd.org
Subject: Re: init in a jail
In-Reply-To: <20190211154819.GB10183@mail.michaelwlucas.com>
References: <20190211154819.GB10183@mail.michaelwlucas.com>
Message-ID: <e0e7c57d6d3463e858b2033e07af76fc@freebsd.org>
X-Sender: jamie@freebsd.org
User-Agent: Roundcube Webmail/1.3.8
X-Greylist: inspected by milter-greylist-4.6.2 (gritton.org [127.0.0.131]);
 Mon, 11 Feb 2019 10:23:54 -0700 (MST) for IP:'127.0.0.131'
 DOMAIN:'[127.0.0.131]' HELO:'gritton.org' FROM:'jamie@freebsd.org' RCPT:''
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2
 (gritton.org [127.0.0.131]); Mon, 11 Feb 2019 10:23:54 -0700 (MST)
X-Rspamd-Queue-Id: 6F99D80B23
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-6.98 / 15.00];
 NEURAL_HAM_MEDIUM(-1.00)[-0.999,0];
 NEURAL_HAM_SHORT(-0.98)[-0.979,0]; REPLY(-4.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail/>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Feb 2019 17:24:03 -0000

On 2019-02-11 08:48, Michael W. Lucas wrote:
> Sadly, my google-fu has turned up thousands of man pages but no real
> discussion on this.
> 
> According to init(8), you can run init inside a jail.
> 
>      If init is run in a jail, the security level of the "host system" 
> will
>      not be affected.  Part of the information set up in the kernel to 
> support
>      a jail is a per-jail security level.  This allows running a higher
>      security level inside of a jail than that of the host system.  See
>      jail(8) for more information about jails.
> 
> 
> If you actually try, though, the jail dies:
> 
> storm~;jail -vc loghost
> loghost: run command: /sbin/ifconfig jailether inet 198.51.100.225 
> netmask
> 255.255.255.255 alias
> loghost: run command: /sbin/mount -t devfs -oruleset=4 . 
> /jail/loghost/dev
> loghost: run command: logger trying to start jail loghost...
> loghost: jail_set(JAIL_CREATE) persist name=loghost path=/jail/loghost
> host.hostname=loghost.mwl.io ip4.addr=19 8.51.100.225
> loghost: created
> loghost: run command in jail: /sbin/init
> jail: loghost: /sbin/init: failed
> loghost: removed
> loghost: run command: /sbin/umount /jail/loghost/dev
> loghost: run command: /sbin/ifconfig jailether inet 198.51.100.225 
> netmask
> 255.255.255.255 -alias
> 
> Is that init(8) text left over from an earlier jail incarnation? Or is
> there some other way to run init in a jail?
> 
> And WHY would you run init in a jail?

Interesting - I wonder how long it's been since init worked inside 
jails.  From the look of your error messages, probably not since devfs 
started being used.  I wasn't even aware the init(8) had anything to say 
on the matter, but it's clearly erroneous.

AS to why it would be good to have a per-jail init, there would be a few 
advantages.  Orphaned processes could then reparent to the jail's init 
instead of the real init, and the jail root could easily reboot jails.  
Doing it right would require presenting jailed init as pid 1, but that's 
not really very hard.

- Jamie