Date: Fri, 3 Jan 2003 14:32:46 -0800 (PST) From: Julian Elischer <julian@elischer.org> To: phk@freebsd.org Cc: FreeBSD current users <current@freebsd.org> Subject: Re: Jail detection Message-ID: <Pine.BSF.4.21.0301031410470.77781-100000@InterJet.elischer.org> In-Reply-To: <2525.1041630880@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 3 Jan 2003 phk@freebsd.org wrote:
> In message <Pine.BSF.4.21.0301031332060.77781-100000@InterJet.elischer.org>, Ju
> lian Elischer writes:
> >
> >We have some software we'd like to behave slightly differently if it is
> >in a jail.
> >
> >What methods do people use to detect they are in a jail?
> >procfs/curproc might work but I don't want to depend on procfs.
> >ps aux can be used but seems rather heavyweight.
> >Something like a sysctl would be best. I could implement it
> >(unless there's already something I missed), if it was considered
> >the right answer.
>
> Use sysctl to pick up your own proc, look for the jail flag. It takes
> less than 10 lines of C.
I can't see anything relevant in sysctl -a. I didn't say it was a C
program. (for that matter what are those 10 lines?) I 've often wondered
how to get the proc info out of sysctl.. I guess it's whatever libkvm
does. (I'll go hunting)\
I was thinking of something like:
static int
sysctl_jail_status(SYSCTL_HANDLER_ARGS)
{
int val;
val = (curproc->p_flag & P_JAIL)? 1 : 0 ;
return (sysctl_handle_int(oidp, NULL, val, req));
}
SYSCTL_PROC(_jail, OID_AUTO, status, CTLTYPE_INT|CTLFLAG_RD,
0, sizeof val, sysctl_jail_status, "I", "Are we in a jail?");
in kern_jail.c
(in 4.x)
this would work better for things like shell and perl as well as for C
>
> >Also, does anyone wnow the mechanism for ping failing (in 4.x systems)
> >from jails?
>
> Yes. raw sockets are blanket denied in jails. Not because it is impossible
> to properly filter them, but because nobody has written the code it takes.
I'll take a look.
For me I'd allow it if a sysctl said so.. there are other reasons for
making jails than just securing things..
For example I need to have a 4.3 environment in a 4.7++ system
(differnt sets of ports needed for the application)
I completely trust the code in the jail. I just need it to
be partitionned so it doesn't interfere with the ports and system
running the main system. One of the things it does is
to ping peers to see if they are available..
>
> --
> Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
> phk@FreeBSD.ORG | TCP/IP since RFC 956
> FreeBSD committer | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by incompetence.
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0301031410470.77781-100000>