Date: Thu, 22 Jul 2010 15:33:12 -0400 From: Isaac Levy <ike@blackskyresearch.net> To: freebsd-jail@freebsd.org Subject: Re: sysvipc in jails + CURRENT Message-ID: <201007221934.o6MJYA7f020607@rs54.luxsci.com>
next in thread | raw e-mail | index | archive | help
Hi All, I could be doing something stupid, or I've dug up an old bug, = (http://www.mail-archive.com/freebsd-jail@freebsd.org/msg00859.html). I cannot get good ol' trusty enforce_statfs to work, allowing me to see = different mounts from within a jail. -- The example jail command I'm using, (new-style), jail -c path=3D$JDIR host.hostname=3D$JHOSTNAME ip4.addr=3D"$INET" = enforce_statfs=3D1 command=3D/bin/sh /etc/rc I've tried everything- including attempting to change my sysctls over = and over, (including /etc/sysctl.conf with rebooting). Interestingly: The old standard 'security.jail.enforce_statfs' was not something I = could modify, *until* I put a sysctl value in /etc/sysctl.conf which was = not 0 (1 or 2 both will let me set the sysctl value once the system is = booted). If I have "security.jail.enforce_statfs=3D0", to my surprise, I cannot = change that sysctl on the host system as I would usually expect. (This is what makes me think this smells like a bug) My extra mounts are UFS volumes, mounted right into the jail directory, = (on another ufs volume). What follows, are just machine stats if anyone wants them? I'd love any thoughts, urls, no matter how brief... Best, .ike -- $ sysctl security.jail security.jail.param.cpuset.id: 0 security.jail.param.host.hostid: 0 security.jail.param.host.hostuuid: 64 security.jail.param.host.domainname: 256 security.jail.param.host.hostname: 256 security.jail.param.children.max: 0 security.jail.param.children.cur: 0 security.jail.param.enforce_statfs: 0 security.jail.param.securelevel: 0 security.jail.param.path: 1024 security.jail.param.name: 256 security.jail.param.parent: 0 security.jail.param.jid: 0 security.jail.enforce_statfs: 1 security.jail.mount_allowed: 0 security.jail.chflags_allowed: 0 security.jail.allow_raw_sockets: 0 security.jail.sysvipc_allowed: 0 security.jail.socket_unixiproute_only: 1 security.jail.set_hostname_allowed: 0 security.jail.jail_max_af_ips: 255 security.jail.jailed: 0 -- More system stats: FreeBSD copper 8.0-RELEASE-p4 FreeBSD 8.0-RELEASE-p4 #5: Tue Jul 20 = 12:33:57 EDT 2010 = ike@copper.vault.tab:/usr/obj/usr/src/sys/80-amd64kernMay2010 amd64 ... # ikenote: additives to generic kernel, FreeBSD 7.2->8.0: # HTTPD/DNS Accept Filter Suport # (queues requests in OS socket until entire request is in) # Applications must make use of the syscall in their implementation, # (Apache 1.x-2.x is a clear case of use). # See the man page for accept_filter(9) for more info. options ACCEPT_FILTER_HTTP options ACCEPT_FILTER_DATA options ACCEPT_FILTER_DNS #FreeBSD 8.0 onward only # ZFS ADDITIVES # http://wiki.freebsd.org/ZFSTuningGuide # or alternatively, see: /usr/src/sys/i386/conf/NOTES ##options KVA_PAGES=3D512 # not required on amd64 # lagg(4) link aggregation and link failover interface device lagg # PF, CARP, ALTQ... device pf device pflog device pfsync # ALTQ, network card queue offloading # see the altq(4) man page for a list of supported drivers options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) options ALTQ_NOPCC # Required for SMP build # DTRACE options KDTRACE_HOOKS options DDB_CTF options KDTRACE_FRAME # amd64 only -- dmesg -- Copyright (c) 1992-2009 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights = reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 8.0-RELEASE-p4 #5: Tue Jul 20 12:33:57 EDT 2010 ike@copper.vault.tab:/usr/obj/usr/src/sys/80-amd64kernMay2010 Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Xeon(R) CPU E5405 @ 2.00GHz (2000.08-MHz = K8-class CPU) Origin =3D "GenuineIntel" Id =3D 0x1067a Stepping =3D 10 = Features=3D0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE= ,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE> = Features2=3D0x40ce33d<SSE3,DTES64,MON,DS_CPL,VMX,TM2,SSSE3,CX16,xTPR,PDCM,= DCA,SSE4.1,XSAVE> AMD Features=3D0x20100800<SYSCALL,NX,LM> AMD Features2=3D0x1<LAHF> TSC: P-state invariant real memory =3D 34359738368 (32768 MB) avail memory =3D 33150808064 (31615 MB) ACPI APIC Table: <PTLTD APIC > FreeBSD/SMP: Multiprocessor System Detected: 8 CPUs FreeBSD/SMP: 1 package(s) x 8 core(s) cpu0 (BSP): APIC ID: 0 cpu1 (AP): APIC ID: 1 cpu2 (AP): APIC ID: 2 cpu3 (AP): APIC ID: 3 cpu4 (AP): APIC ID: 4 cpu5 (AP): APIC ID: 5 cpu6 (AP): APIC ID: 6 cpu7 (AP): APIC ID: 7 ioapic0 <Version 2.0> irqs 0-23 on motherboard ioapic1 <Version 2.0> irqs 24-47 on motherboard kbd1 at kbdmux0 acpi0: <PTLTD RSDT> on motherboard acpi0: [ITHREAD] acpi0: Power Button (fixed) unknown: I/O range not supported Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x1008-0x100b on acpi0 pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0 pci0: <ACPI PCI bus> on pcib0 pcib1: <ACPI PCI-PCI bridge> at device 2.0 on pci0 pci1: <ACPI PCI bus> on pcib1 pcib2: <ACPI PCI-PCI bridge> irq 16 at device 0.0 on pci1 pci2: <ACPI PCI bus> on pcib2 pcib3: <ACPI PCI-PCI bridge> irq 16 at device 0.0 on pci2 pci3: <ACPI PCI bus> on pcib3 pcib4: <ACPI PCI-PCI bridge> irq 17 at device 1.0 on pci2 pci4: <ACPI PCI bus> on pcib4 pcib5: <ACPI PCI-PCI bridge> irq 18 at device 2.0 on pci2 pci5: <ACPI PCI bus> on pcib5 em0: <Intel(R) PRO/1000 Network Connection 6.9.14> port 0x2000-0x201f = mem 0xda220000-0xda23ffff,0xda200000-0xda21ffff irq 18 at device 0.0 on = pci5 em0: Using MSI interrupt em0: [FILTER] em0: Ethernet address: 00:30:48:f5:af:68 em1: <Intel(R) PRO/1000 Network Connection 6.9.14> port 0x2020-0x203f = mem 0xda260000-0xda27ffff,0xda240000-0xda25ffff irq 19 at device 0.1 on = pci5 em1: Using MSI interrupt em1: [FILTER] em1: Ethernet address: 00:30:48:f5:af:69 pcib6: <ACPI PCI-PCI bridge> at device 0.3 on pci1 pci6: <ACPI PCI bus> on pcib6 pcib7: <ACPI PCI-PCI bridge> at device 4.0 on pci0 pci7: <ACPI PCI bus> on pcib7 3ware device driver for 9000 series storage controllers, version: = 3.70.05.001 twa0: <3ware 9000 series Storage Controller> port 0x3000-0x30ff mem = 0xd8000000-0xd9ffffff,0xdad00000-0xdad00fff irq 16 at device 0.0 on pci7 twa0: [ITHREAD] twa0: INFO: (0x04: 0x0053): Battery capacity test is overdue:=20 twa0: INFO: (0x15: 0x1300): Controller details:: Model 9650SE-12ML, 12 = ports, Firmware FE9X 4.08.00.006, BIOS BE9X 4.08.00.001 pcib8: <ACPI PCI-PCI bridge> at device 6.0 on pci0 pci8: <ACPI PCI bus> on pcib8 igb0: <Intel(R) PRO/1000 Network Connection version - 1.7.3> port = 0x4000-0x401f mem = 0xdac00000-0xdac1ffff,0xda400000-0xda7fffff,0xdac40000-0xdac43fff irq 18 = at device 0.0 on pci8 igb0: Using MSIX interrupts with 3 vectors igb0: [ITHREAD] igb0: [ITHREAD] igb0: [ITHREAD] igb0: Ethernet address: 00:1b:21:61:91:28 igb1: <Intel(R) PRO/1000 Network Connection version - 1.7.3> port = 0x4020-0x403f mem = 0xdac20000-0xdac3ffff,0xda800000-0xdabfffff,0xdac44000-0xdac47fff irq 19 = at device 0.1 on pci8 igb1: Using MSIX interrupts with 3 vectors igb1: [ITHREAD] igb1: [ITHREAD] igb1: [ITHREAD] igb1: Ethernet address: 00:1b:21:61:91:29 pci0: <base peripheral> at device 8.0 (no driver attached) uhci0: <Intel 631XESB/632XESB/3100 USB controller USB-1> port = 0x1800-0x181f irq 17 at device 29.0 on pci0 uhci0: [ITHREAD] uhci0: LegSup =3D 0x003b usbus0: <Intel 631XESB/632XESB/3100 USB controller USB-1> on uhci0 uhci1: <Intel 631XESB/632XESB/3100 USB controller USB-2> port = 0x1820-0x183f irq 19 at device 29.1 on pci0 uhci1: [ITHREAD] uhci1: LegSup =3D 0x0010 usbus1: <Intel 631XESB/632XESB/3100 USB controller USB-2> on uhci1 uhci2: <Intel 631XESB/632XESB/3100 USB controller USB-3> port = 0x1840-0x185f irq 18 at device 29.2 on pci0 uhci2: [ITHREAD] uhci2: LegSup =3D 0x0010 usbus2: <Intel 631XESB/632XESB/3100 USB controller USB-3> on uhci2 ehci0: <Intel 63XXESB USB 2.0 controller> mem 0xdaf00000-0xdaf003ff irq = 17 at device 29.7 on pci0 ehci0: [ITHREAD] usbus3: EHCI version 1.0 usbus3: <Intel 63XXESB USB 2.0 controller> on ehci0 pcib9: <ACPI PCI-PCI bridge> at device 30.0 on pci0 pci9: <ACPI PCI bus> on pcib9 vgapci0: <VGA-compatible display> port 0x5000-0x50ff mem = 0xd0000000-0xd7ffffff,0xdae00000-0xdae0ffff irq 18 at device 1.0 on pci9 isab0: <PCI-ISA bridge> at device 31.0 on pci0 isa0: <ISA bus> on isab0 atapci0: <Intel 63XXESB2 UDMA100 controller> port = 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x1860-0x186f at device 31.1 on pci0 ata0: <ATA channel 0> on atapci0 ata0: [ITHREAD] pci0: <serial bus, SMBus> at device 31.3 (no driver attached) acpi_button0: <Power Button> on acpi0 atrtc0: <AT realtime clock> port 0x70-0x71 irq 8 on acpi0 atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0 atkbd0: <AT Keyboard> irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] atkbd0: [ITHREAD] uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 uart0: [FILTER] uart1: <16550 or compatible> port 0x2f8-0x2ff irq 3 on acpi0 uart1: [FILTER] fdc0: <floppy drive controller> port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on = acpi0 fdc0: [FILTER] cpu0: <ACPI CPU> on acpi0 p4tcc0: <CPU Frequency Thermal Control> on cpu0 cpu1: <ACPI CPU> on acpi0 p4tcc1: <CPU Frequency Thermal Control> on cpu1 cpu2: <ACPI CPU> on acpi0 p4tcc2: <CPU Frequency Thermal Control> on cpu2 cpu3: <ACPI CPU> on acpi0 p4tcc3: <CPU Frequency Thermal Control> on cpu3 cpu4: <ACPI CPU> on acpi0 p4tcc4: <CPU Frequency Thermal Control> on cpu4 cpu5: <ACPI CPU> on acpi0 p4tcc5: <CPU Frequency Thermal Control> on cpu5 cpu6: <ACPI CPU> on acpi0 p4tcc6: <CPU Frequency Thermal Control> on cpu6 cpu7: <ACPI CPU> on acpi0 p4tcc7: <CPU Frequency Thermal Control> on cpu7 orm0: <ISA Option ROMs> at iomem 0xc0000-0xcafff,0xcb000-0xccfff on isa0 sc0: <System console> at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=3D0x300> vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on = isa0 ppc0: cannot reserve I/O port range Timecounters tick every 1.000 msec usbus0: 12Mbps Full Speed USB v1.0 usbus1: 12Mbps Full Speed USB v1.0 usbus2: 12Mbps Full Speed USB v1.0 usbus3: 480Mbps High Speed USB v2.0 ugen0.1: <Intel> at usbus0 uhub0: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus0 ugen1.1: <Intel> at usbus1 uhub1: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus1 ugen2.1: <Intel> at usbus2 uhub2: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus2 ugen3.1: <Intel> at usbus3 uhub3: <Intel EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus3 uhub0: 2 ports with 2 removable, self powered uhub1: 2 ports with 2 removable, self powered uhub2: 2 ports with 2 removable, self powered uhub3: 6 ports with 6 removable, self powered da0 at twa0 bus 0 target 0 lun 0 da0: <AMCC 9650SE-12M DISK 4.08> Fixed Direct Access SCSI-5 device=20 da0: 100.000MB/s transfers da0: 2861002MB (5859332096 512 byte sectors: 255H 63S/T 364726C) da1 at twa0 bus 0 target 1 lun 0 da1: <AMCC 9650SE-12M DISK 4.08> Fixed Direct Access SCSI-5 device=20 da1: 100.000MB/s transfers da1: 2861002MB (5859332096 512 byte sectors: 255H 63S/T 364726C) SMP: AP CPU #3 Launched! SMP: AP CPU #1 Launched! SMP: AP CPU #2 Launched! SMP: AP CPU #7 Launched! SMP: AP CPU #5 Launched! SMP: AP CPU #6 Launched! SMP: AP CPU #4 Launched! GEOM: da0: partition 1 does not end on a track boundary. GEOM: da1: partition 1 does not end on a track boundary. Trying to mount root from ufs:/dev/da0s1a --
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201007221934.o6MJYA7f020607>