On Tue, 15 Jul 2025 at 16:26, James Gritton <[email protected]> wrote:
> On 2025-07-15 06:53, Bjoern A. Zeeb wrote: > > On Tue, 15 Jul 2025, Doug Rabson wrote: > > > >> On Mon, 14 Jul 2025 at 16:54, James Gritton <[email protected]> wrote: > >> > >>> On 2025-07-14 03:53, Doug Rabson wrote: > >>> > >>> I tried setting allow.socket_af for a jail which inherits the host > >>> vnet > >>> and this still has problems creating interfaces: > >>> > >>> $ jid=$(sudo jail -i -c host.hostname=foo vnet=inherit > >>> allow.socket_af > >>> path=/ persist) > >>> $ sudo jexec $jid > >>> You have mail. > >>> root@foo:/ # ifconfig bridge create > >>> ifconfig: socket(family 2,SOCK_DGRAM): Protocol not supported > >>> root@foo:/ # exit > >>> exit > >>> $ sudo jail -r $jid > >>> > >>> > >>> I think I see the problem: address family 2 is AF_INET, which > >>> check_prison_af will only disallow if IPv4 is disabled in that jail - > >>> which > >>> it is! add ip4=inherit to your child jail and see if that does the > >>> trick. > >>> > >>> A typical non-vnet jail has one or more IP address included in the > >>> definition, but without that the default is ip4=disabled. Bjoern's > >>> "all I > >>> have is yours" is not in fact the overriding jail philosophy, but > >>> rather > >>> "you get only what you ask for." > >>> > >> > >> Jamie is, of course, correct and setting ip4=inherit fixes > >> the EPROTONOSUPPORT, uncovering my original EPERM problem: > >> > >> $ jid=$(sudo jail -i -c host.hostname=foo ip4=inherit allow.socket_af > >> path=/ persist) > >> $ sudo jexec $jid ifconfig bridge create > >> ifconfig: SIOCIFCREATE2 (bridge): Operation not permitted > > > > And I assume that now is because vnet=inherit does not set PR_VNET and > > prison_priv_check() now does not catch: > > > > 3912 /* > > 3913 * No default: or deny here. > > 3914 * In case of no permit fall through to next switch(). > > 3915 */ > > 3916 if (cred->cr_prison->pr_flags & PR_VNET) > > 3917 return (0); > > > > and so you run into the default at the end. Wild guess. > > > > I think we really need a flag if we want to allow "vnet=inherit" and > > "give me power to mangle with my parent's vnet". *sigh*. > > > > Jamie? Help? > > This harks back to non-hierarchical jails, since the base system is just > a special kind of jail that has its own vnet. So we treat this like we > would treat other jails that want to do network things: carve out an > allow.* bit. So the question becomes: how big should the carve-out be? > Just PRIV_NET_IFCREATE? And then add to it other things that end up > being necessary - as separate allow bits or as part of of the same? Or > just a big "let the jail do all the network things" permission? > For my specific use case, I need PRIV_NET_IFCREATE to allow creating bridges and epairs as well as PRIV_NET_BRIDGE to allow adding or removing bridge members. Looking at the PRIV_NET_* list, I think some others may be useful, particularly IFDESTROY and probably VXLAN. Would it be unreasonable to include all the PRIV_NET_* that are not already covered? > > Or do we want to treats non-root vnets differently, and say "allow all > (or some/many) network things for sub-jails under vnets? > It feels tidier to allow both root vnets and nested ones to work the same but I don't have a clear use-case here. I don't think I need it for running Podman inside a vnet jail but it would be needed for nesting Podman containers more than one deep. Not sure why anyone would do that. Doug.
