Re: jails and output of df/mount [PATCH]
Hi Jürgen, On Wed, May 18, 2005 at 12:45:29AM +0200, Juergen Unger wrote: On Tue, May 17, 2005 at 11:43:24PM +0200, Jeremie Le Hen wrote: [...] There seems to be one small bug in your patch : once applied, we don't see informations about / any longer inside jails. please try the new one at http://www.addict.de/unger/fbsd/patch-20050518/ tested this one, compiles and seems to work as expected: On jailhost (outside): $ uname -a FreeBSD pinserv6.p-i-n.com 5.4-STABLE FreeBSD 5.4-STABLE #10: Mon May 23 10:07:39 CEST 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/PE2650 i386 [EMAIL PROTECTED]:~$ mount /dev/aacd0s2a on / (ufs, local) devfs on /dev (devfs, local) /dev/aacd1s1d on /data (ufs, local, soft-updates) /dev/aacd0s2e on /usr (ufs, local, soft-updates) /dev/aacd0s2d on /var (ufs, local, soft-updates) procfs on /proc (procfs, local) devfs on /data/jails/test01/dev (devfs, local) devfs on /data/jails/test02/dev (devfs, local) In jails: [EMAIL PROTECTED] mount /dev/aacd1s1d on /data (ufs, local, soft-updates) devfs on /data/jails/test01/dev (devfs, local) [EMAIL PROTECTED] mount /dev/aacd1s1d on /data (ufs, local, soft-updates) devfs on /data/jails/test02/dev (devfs, local) Mfg Raphael Becker ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jails and output of df/mount [PATCH]
Hi Juergen, within a jail there are at this time two possibilities of operation for the syscall getfsstat (which is used e.g. for the commands 'df' and 'mount'): security.jail.getfsstatroot_only = 0: getfsstat return all filesystems mounted anywhere at the machine security.jail.getfsstatroot_only = 1: getfsstat returns the filesystem where the jail-root is in and nothing more (mountpoints within the jails fs-tree are not returned) IMHO is this 2nd one not what is really needed: If we have additional filesystems mounted within the jails tree they should be visible too so that they are shown with a simple 'df' or 'mount'. I made a small patch for this which is available at http://www.addict.de/unger/fbsd/patch-20050516/ and should work against CURRENT and RELENG_5_4 Any comments ? I am not sure if there is locking needed (mtx_lock, mtx_unlock) around this new piece of code, at this time ot works for me without locking... Any other opinions ? This works fine on a recent RELENG_5 UP kernel. Given that this exposes some host configuration inside jail, it might be worth adding a sysctl to disable this. However, I'm not really sure this kind of information could really be an attack vector or ramp. There seems to be one small bug in your patch : once applied, we don't see informations about / any longer inside jails. Thanks for your work. Regards, -- Jeremie Le Hen jeremie at le-hen dot org ttz at chchile dot org ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jails and output of df/mount [PATCH]
Hi Jeremie ! On Tue, May 17, 2005 at 11:43:24PM +0200, Jeremie Le Hen wrote: [...] This works fine on a recent RELENG_5 UP kernel. Given that this exposes some host configuration inside jail, it might be worth adding a sysctl to disable this. However, I'm not really sure this kind of information could really be an attack vector or ramp. I don't share your opinion that this exposes information not allready known to the processes withing the jail. For example: with this patch I get on an sample jail here the following output: jail# df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/md3c 4.8G148M4.3G 3%/data1/jail/003 195.49.136.4:/po989M275M635M30%/data1/jail/003/usr/ports 195.49.136.4:/di989M189M721M21%/data1/jail/003/distfiles 195.49.136.4:/pa989M 83M828M 9%/data1/jail/003/packages /dev/md2001c 19G4.0K 18G 0% /data1/jail/003/var/spool/news devfs 1.0K1.0K 0B 100%/data1/jail/003/dev fdescfs 1.0K1.0K 0B 100%/data1/jail/003/dev/fd procfs 4.0K4.0K 0B 100%/data1/jail/003/proc jail# the processes within the jail can get the same information without the patch if they call df for each mounted fs seperately: jail# df -h / FilesystemSizeUsed Avail Capacity Mounted on /dev/md3c 4.8G148M4.3G 3%/data1/jail/003 jail# df -h /usr/ports Filesystem SizeUsed Avail Capacity Mounted on 195.49.136.4:/po989M275M635M30%/data1/jail/003/usr/ports jail# df -h /distfiles Filesystem SizeUsed Avail Capacity Mounted on 195.49.136.4:/di989M189M721M21%/data1/jail/003/distfiles . [...and.so.on...] . that in the output the '/data1/jail/003/' path component ist shown is another point to fix (I will make another patch for it), but this behaviour is not changed from before. Better it would be only output the path at it is known to the jailed processes. There seems to be one small bug in your patch : once applied, we don't see informations about / any longer inside jails. hmm, I think I know what you mean. I am very sure this happens only if the jail do not have an own filesystem (so the jails root is not the root of a filesystem). Should be easy to fix. I will make an improved patch until tomorrow. bye, Juergen -- ENOSIG ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jails and output of df/mount [PATCH]
On Tue, May 17, 2005 at 11:43:24PM +0200, Jeremie Le Hen wrote: [...] There seems to be one small bug in your patch : once applied, we don't see informations about / any longer inside jails. please try the new one at http://www.addict.de/unger/fbsd/patch-20050518/ bye, Juergen -- ENOSIG ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
jails and output of df/mount [PATCH]
Hi ! within a jail there are at this time two possibilities of operation for the syscall getfsstat (which is used e.g. for the commands 'df' and 'mount'): security.jail.getfsstatroot_only = 0: getfsstat return all filesystems mounted anywhere at the machine security.jail.getfsstatroot_only = 1: getfsstat returns the filesystem where the jail-root is in and nothing more (mountpoints within the jails fs-tree are not returned) IMHO is this 2nd one not what is really needed: If we have additional filesystems mounted within the jails tree they should be visible too so that they are shown with a simple 'df' or 'mount'. I made a small patch for this which is available at http://www.addict.de/unger/fbsd/patch-20050516/ and should work against CURRENT and RELENG_5_4 Any comments ? I am not sure if there is locking needed (mtx_lock, mtx_unlock) around this new piece of code, at this time ot works for me without locking... Any other opinions ? bye, Juergen ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]