enforce_statfs showing leading path

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

enforce_statfs showing leading path

Michael W. Lucas-2
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: enforce_statfs showing leading path

Mateusz Guzik
On 1/8/19, Michael W. Lucas <[hidden email]> wrote:

> Hi,
>
> I'm experimenting with enforce_statfs for the jails book, and have hit
> an inconsistency. Not sure if the bug should go to src or doc. Running
> last week's -current.
>
> According to jail(8):
>
>  When set to 1, only mount points below the jail's chroot
>              directory are visible.  In addition to that, the path to the
>              jail's chroot directory is removed from the front of their
> path‐
>              names.
>
> Seems pretty clear that I shouldn't see anything other than
>
> # jls -h name enforce_statfs
> ...
> ioc-www1 1
>
> So, as I read it, the jail's chroot directory should be stripped down
> to /. But inside the jail:
>
> root@www1:~ # mount
> iocage/iocage/jails/www1/root on / (zfs, local, nfsv4acls)
> devfs on /dev (devfs, local, multilabel)
> fdescfs on /dev/fd (fdescfs)
>
> I see the jail's chroot directory.
>
> This seems to contradict the man page, unless I'm misunderstanding.
>
> Is this a software bug? A ZFS thing? A doc bug? Or am I just an idiot?
>
> Also, should this path be stripped when enforce_statfs is set to 1 *or
> above*? Or is this strictly when set to 1? If I'm filing a bug, it
> might as well be complete...
>

The "path" you are seeing is dataset name, which you made to resemble
the mount point.

Whether full dataset name should be exposed or not is a very different
question, does illumos do it?

Worst case it should be trivial to add a sysctl to just obfuscate the name.

--
Mateusz Guzik <mjguzik gmail.com>
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: enforce_statfs showing leading path

freebsd-jail mailing list
In reply to this post by Michael W. Lucas-2
Hi.
You see the dataset name of zfs without stripping. The mount point is
correctly stripped. I don't remember how this looks on ufs.

With jailed datasets we would need more than just some code to remove parts
of the name.

So it's a doc bug (clarity about mount points and dataset names) and a zfs
issue.

Bye,
Alexander.

--
Send from a mobile device, please forgive brevity and misspellings.

Am 8. Januar 2019 8:34:17 nachm. schrieb "Michael W. Lucas"
<[hidden email]>:

> Hi,
>
> I'm experimenting with enforce_statfs for the jails book, and have hit
> an inconsistency. Not sure if the bug should go to src or doc. Running
> last week's -current.
>
> According to jail(8):
>
> When set to 1, only mount points below the jail's chroot
>             directory are visible.  In addition to that, the path to the
>             jail's chroot directory is removed from the front of their path‐
>             names.
>
> Seems pretty clear that I shouldn't see anything other than
>
> # jls -h name enforce_statfs
> ...
> ioc-www1 1
>
> So, as I read it, the jail's chroot directory should be stripped down
> to /. But inside the jail:
>
> root@www1:~ # mount
> iocage/iocage/jails/www1/root on / (zfs, local, nfsv4acls)
> devfs on /dev (devfs, local, multilabel)
> fdescfs on /dev/fd (fdescfs)
>
> I see the jail's chroot directory.
>
> This seems to contradict the man page, unless I'm misunderstanding.
>
> Is this a software bug? A ZFS thing? A doc bug? Or am I just an idiot?
>
> Also, should this path be stripped when enforce_statfs is set to 1 *or
> above*? Or is this strictly when set to 1? If I'm filing a bug, it
> might as well be complete...
>
> Thanks,
> ==ml
>
> --
> Michael W. Lucas https://mwl.io/
> author of: Absolute OpenBSD, SSH Mastery, git commit murder,
> Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc...
>
>
>
> ----------
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "[hidden email]"



_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: enforce_statfs showing leading path

Bjoern A. Zeeb
On 9 Jan 2019, at 9:42, Alexander Leidinger via freebsd-jail wrote:

Hi,

I’ll be a bit verbose also for mwlucas.

> You see the dataset name of zfs without stripping. The mount point is
> correctly stripped. I don't remember how this looks on ufs.

/dev/ada0p19 on / (ufs, local, journaled soft-updates)
/local/data/www1/users/johndoe on /usr/home/johndoe/www1 (nullfs, local)

The “device” is also visible there, as well as file system type and
specific options.

I also added a nullfs example.  For that the mount point is properly
treated and lost the /local/jails/whatever/ prefix with enforce_statfs=1
but the “device” side is just as visible in full as it is for a any
other real device.


> With jailed datasets we would need more than just some code to remove
> parts of the name.
>
> So it's a doc bug (clarity about mount points and dataset names) and a
> zfs issue.

Well, no it’s not a zfs specific issue.  And the docs talk about mount
points not about the “device” (or dataset in zfs parlance).

If anything for clarity one could add a sentence to the jail(8) page
saying that the “device” part of the mount output is not being
restricted or altered.


One of the reasons for enforce_statfs certainly was to limit the amount
of information;  that also has the side-effect of scripts parsing the
mount (mount points) output actually finding the paths they might be
looking for.


The df command output might make some of this all a bit more clear.



> Am 8. Januar 2019 8:34:17 nachm. schrieb "Michael W. Lucas"
> <[hidden email]>:
>
>> Hi,
>>
>> I'm experimenting with enforce_statfs for the jails book, and have
>> hit
>> an inconsistency. Not sure if the bug should go to src or doc.
>> Running
>> last week's -current.
>>
>> According to jail(8):
>>
>> When set to 1, only mount points below the jail's chroot
>>             directory are visible.  In addition to that, the path to
>> the
>>             jail's chroot directory is removed from the front of
>> their path‐
>>             names.
>>
>> Seems pretty clear that I shouldn't see anything other than
>>
>> # jls -h name enforce_statfs
>> ...
>> ioc-www1 1
>>
>> So, as I read it, the jail's chroot directory should be stripped down
>> to /. But inside the jail:
>>
>> root@www1:~ # mount
>> iocage/iocage/jails/www1/root on / (zfs, local, nfsv4acls)

                                   ^^^^ it is stripped down to /

>> devfs on /dev (devfs, local, multilabel)
>> fdescfs on /dev/fd (fdescfs)
>>
>> I see the jail's chroot directory.
>>
>> This seems to contradict the man page, unless I'm misunderstanding.
>>
>> Is this a software bug? A ZFS thing? A doc bug? Or am I just an
>> idiot?
>>
>> Also, should this path be stripped when enforce_statfs is set to 1
>> *or
>> above*? Or is this strictly when set to 1? If I'm filing a bug, it
>> might as well be complete...
>>
>> Thanks,
>> ==ml
>>
>> --
>> Michael W. Lucas https://mwl.io/
>> author of: Absolute OpenBSD, SSH Mastery, git commit murder,
>> Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc...
>>
>>
>>
>> ----------
>> _______________________________________________
>> [hidden email] mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
>> To unsubscribe, send any mail to
>> "[hidden email]"
>
>
>
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to
> "[hidden email]"
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: enforce_statfs showing leading path

Michael W. Lucas-2
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"