Unable to get jail paramters values

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Unable to get jail paramters values

Andrew Hotlab
Sorry for the stupid question, but I just realised that I'm unable
to know the real value of a specific parameter. For example,
I know that the allow.raw_sockets is set to "1" for the jail "jtest01",
because I set so in the /etc/jail.conf file, but when I type the sysctl
command inside the jail, it tells me that the value is "0" (which
I guess is the default value).

root@jtest01:~ # sysctl security.jail.jailed
security.jail.jailed: 1

root@jtest01:~ # sysctl security.jail.param.allow.raw_sockets
security.jail.param.allow.raw_sockets: 0

root@jtest01:~ # ping -c2 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=55 time=11.310 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=55 time=9.525 ms

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 9.525/10.418/11.310/0.892 ms


I noticed the same behaviour on both FreeBSD 10.3 and 11.1.

How can I get real jail.param values for a specific running jail?

Thanks.

Andrew
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Unable to get jail paramters values

Andrew Hotlab
> How can I get real jail.param values for a specific running jail?

Replying to my own question... I just fount that it's possible to
know it from the host with the command jls(8). Here is an example:

root@host01:~ # jls -nj jtest01 allow.raw_sockets
allow.raw_sockets=1

Someone can tell me if it is possible to get the same info by issuing
a command inside the jail?

Thanks.

Andrew
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Unable to get jail paramters values

James Gritton
On 2017-10-24 13:10, Andrew Hotlab wrote:

>> How can I get real jail.param values for a specific running jail?
>
> Replying to my own question... I just fount that it's possible to
> know it from the host with the command jls(8). Here is an example:
>
> root@host01:~ # jls -nj jtest01 allow.raw_sockets
> allow.raw_sockets=1
>
> Someone can tell me if it is possible to get the same info by issuing
> a command inside the jail?

A note on your original question: the security.jail.param.* sysctls are
dummies, just there to tell jail(8) (and anyone else who cares) about
the available parameters.

For the current question, I'm afraid the answer is no.  While many
(most?) parameters are fine to know, the idea is that there are security
considerations to knowing some things about your own prison.  So this
inability is a conscious decision.  As to whether there actually *are*
any security considerations to knowing about yourself, that may be
something of an open question.  Certainly the things you can test in
other ways (like allow.raw_sockets) aren't a concern.

- Jamie
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"