177821 – sysctl: Some security.jail nodes are funky, duplicate entries, ending in dots (.)

Bug 177821 - sysctl: Some security.jail nodes are funky, duplicate entries, ending in dots (.)

Summary: sysctl: Some security.jail nodes are funky, duplicate entries, ending in dots...

Status:	Open

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:	needs-patch, needs-qa

Depends on:
Blocks:

Reported:	2013-04-13 03:00 UTC by Enji Cooper
Modified:	2024-10-03 06:43 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
nsysctl -OFIHtN -s ', ' security (9.32 KB, text/plain) 2021-07-25 01:06 UTC, Alfonso S. Siciliano	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Enji Cooper freebsd_committer

2013-04-13 03:00:00 UTC

Noticed this when doing sysctl -Na | grep jail... in particular the sysctl MIBs
that have a trailing '.' are odd:

security.jail.param.allow.mount.zfs
security.jail.param.allow.mount.procfs
security.jail.param.allow.mount.nullfs
security.jail.param.allow.mount.devfs
security.jail.param.allow.mount.
security.jail.param.allow.socket_af
security.jail.param.allow.quotas
security.jail.param.allow.chflags
security.jail.param.allow.raw_sockets
security.jail.param.allow.sysvipc
security.jail.param.allow.set_hostname
security.jail.param.ip6.saddrsel
security.jail.param.ip6.addr
security.jail.param.ip6.
security.jail.param.ip4.saddrsel
security.jail.param.ip4.addr
security.jail.param.ip4.
security.jail.param.cpuset.id
security.jail.param.host.hostid
security.jail.param.host.hostuuid
security.jail.param.host.domainname
security.jail.param.host.hostname
security.jail.param.host.
security.jail.param.children.max
security.jail.param.children.cur
security.jail.param.dying
security.jail.param.persist
security.jail.param.devfs_ruleset
security.jail.param.enforce_statfs
security.jail.param.securelevel
security.jail.param.path
security.jail.param.name
security.jail.param.parent
security.jail.param.jid
security.jail.param.linux.
security.jail.param.linux.osname
security.jail.param.linux.osrelease
security.jail.param.linux.oss_version
security.jail.devfs_ruleset
security.jail.enforce_statfs
security.jail.mount_zfs_allowed
security.jail.mount_procfs_allowed
security.jail.mount_nullfs_allowed
security.jail.mount_devfs_allowed
security.jail.mount_allowed
security.jail.chflags_allowed
security.jail.allow_raw_sockets
security.jail.sysvipc_allowed
security.jail.socket_unixiproute_only
security.jail.set_hostname_allowed
security.jail.jail_max_af_ips
security.jail.jailed
security.jail.list

Comment 1 Eitan Adler freebsd_committer

2017-12-31 07:59:06 UTC

For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped

Comment 2 Kubilay Kocak freebsd_committer

2021-07-19 03:19:21 UTC

Still reproduces  14.0-CURRENT #14 main-n245176-8742817ba62

[koobs@140-CURRENT-amd64-564d:/usr/home/koobs] sysctl -aN | grep jail |grep -E '.*\.$'
security.jail.param.sysvshm.
security.jail.param.sysvsem.
security.jail.param.sysvmsg.
security.jail.param.allow.mount.
security.jail.param.ip6.
security.jail.param.ip4.
security.jail.param.host.

They "appear" to be duplicates, most with identical descriptions, except "security.jail.param.allow.mount":

[koobs@140-CURRENT-amd64-564d:/usr/home/koobs] sysctl -ad | grep jail

security.jail.param.sysvshm: SYSV shared memory
security.jail.param.sysvshm.: SYSV shared memory
security.jail.param.sysvsem: SYSV semaphores
security.jail.param.sysvsem.: SYSV semaphores
security.jail.param.sysvmsg: SYSV message queues
security.jail.param.sysvmsg.: SYSV message queues

security.jail.param.allow.mount: Jail mount/unmount permission flags
security.jail.param.allow.mount.: Jail may mount/unmount jail-friendly file systems in general

security.jail.param.ip6: Jail IPv6 address virtualization
security.jail.param.ip6.: Jail IPv6 address virtualization

security.jail.param.ip4: Jail IPv4 address virtualization
security.jail.param.ip4.: Jail IPv4 address virtualization

security.jail.param.host: Jail host info
security.jail.param.host.: Jail host info

Comment 3 Alfonso S. Siciliano freebsd_committer

2021-07-25 01:06:46 UTC

Created attachment 226665 [details]
nsysctl -OFIHtN -s ', ' security

Comment 4 Alfonso S. Siciliano freebsd_committer

2021-07-25 01:08:03 UTC

The sysctl name that have a trailing '.' are normal: they are normal sysctl objects with a `struct sysctl_oid` in the MIB but their name `sysctl_oid.oid_name` is just "\0".

I mentioned them at the BSDCan 2020 and in some quarterly status report to describe sysutils/sysctlinfo-kmod, sysutils/sysctlbyname-improved-kmod and devel/sysctlmibinfo2.

We can use sysutils/nsysctl to know their properties:

% nsysctl -OFIHtN -s ', ' security
2147482851, security, node, N, Undefined
...
2147482851.2147482945, security.jail, node, N, Undefined
...
2147482851.2147482945.2147482932, security.jail.param, node, N, Undefined
2147482851.2147482945.2147482932.2147482549, security.jail.param.sysvshm, node, N, Undefined
2147482851.2147482945.2147482932.2147482549.2147482548, security.jail.param.sysvshm., integer, E,jailsys, Defined
2147482851.2147482945.2147482932.2147482560, security.jail.param.sysvsem, node, N, Undefined
2147482851.2147482945.2147482932.2147482560.2147482559, security.jail.param.sysvsem., integer, E,jailsys, Defined
2147482851.2147482945.2147482932.2147482573, security.jail.param.sysvmsg, node, N, Undefined
2147482851.2147482945.2147482932.2147482573.2147482572, security.jail.param.sysvmsg., integer, E,jailsys, Defined
2147482851.2147482945.2147482932.2147482900, security.jail.param.allow, node, N, Undefined
2147482851.2147482945.2147482932.2147482900.2147482888, security.jail.param.allow.mount, node, N, Undefined
2147482851.2147482945.2147482932.2147482900.2147482888.2147471913, security.jail.param.allow.mount.debugfs, integer, B, Defined
2147482851.2147482945.2147482932.2147482900.2147482888.2147471916, security.jail.param.allow.mount.anon_inodefs, integer, B, Defined
2147482851.2147482945.2147482932.2147482900.2147482888.2147473599, security.jail.param.allow.mount.devfs, integer, B, Defined
2147482851.2147482945.2147482932.2147482900.2147482888.2147473671, security.jail.param.allow.mount.tmpfs, integer, B, Defined
2147482851.2147482945.2147482932.2147482900.2147482888.2147473673, security.jail.param.allow.mount.procfs, integer, B, Defined
2147482851.2147482945.2147482932.2147482900.2147482888.2147482887, security.jail.param.allow.mount., integer, B, Defined
...
2147482851.2147482945.2147482932.2147482904, security.jail.param.ip6, node, N, Undefined
2147482851.2147482945.2147482932.2147482904.2147482901, security.jail.param.ip6.saddrsel, integer, B, Defined
2147482851.2147482945.2147482932.2147482904.2147482902, security.jail.param.ip6.addr, opaque, S,in6_addr,a, Defined
2147482851.2147482945.2147482932.2147482904.2147482903, security.jail.param.ip6., integer, E,jailsys, Defined
2147482851.2147482945.2147482932.2147482908, security.jail.param.ip4, node, N, Undefined
2147482851.2147482945.2147482932.2147482908.2147482905, security.jail.param.ip4.saddrsel, integer, B, Defined
2147482851.2147482945.2147482932.2147482908.2147482906, security.jail.param.ip4.addr, opaque, S,in_addr,a, Defined
2147482851.2147482945.2147482932.2147482908.2147482907, security.jail.param.ip4., integer, E,jailsys, Defined
2147482851.2147482945.2147482932.2147482910, security.jail.param.cpuset, node, N, Undefined
2147482851.2147482945.2147482932.2147482910.2147482909, security.jail.param.cpuset.id, integer, I, Defined
2147482851.2147482945.2147482932.2147482916, security.jail.param.host, node, N, Undefined
2147482851.2147482945.2147482932.2147482916.2147482911, security.jail.param.host.hostid, unsigned long, LU, Defined
2147482851.2147482945.2147482932.2147482916.2147482912, security.jail.param.host.hostuuid, string, A, Defined
2147482851.2147482945.2147482932.2147482916.2147482913, security.jail.param.host.domainname, string, A, Defined
2147482851.2147482945.2147482932.2147482916.2147482914, security.jail.param.host.hostname, string, A, Defined
2147482851.2147482945.2147482932.2147482916.2147482915, security.jail.param.host., integer, E,jailsys, Defined
2147482851.2147482945.2147482932.2147482919, security.jail.param.children, node, N, Undefined
2147482851.2147482945.2147482932.2147482919.2147482917, security.jail.param.children.max, integer, I, Defined
2147482851.2147482945.2147482932.2147482919.2147482918, security.jail.param.children.cur, integer, I, Defined
...


The complete output is attached, it prints: OID, name, type, format and handler status, for example 

2147482851.2147482945.2147482932.2147482908, security.jail.param.ip4, node, N, Undefined
2147482851.2147482945.2147482932.2147482908.2147482905, security.jail.param.ip4.saddrsel, integer, B, Defined
2147482851.2147482945.2147482932.2147482908.2147482906, security.jail.param.ip4.addr, opaque, S,in_addr,a, Defined
2147482851.2147482945.2147482932.2147482908.2147482907, security.jail.param.ip4., integer, E,jailsys, Defined

Obviously "security.jail.param.ip4" is the (internal node) father and "security.jail.param.ip4." is a (leaf) child, they are not dublicates but distinct objects.

We can use deskutils/sysctlview for a real GUI representation, in asciiart:

2147482851 "security"
      |
2147482945 "jail"
      |
2147482932 "param"
      |
2147482908 "ip4"
   ___|_____________________________________
   |                      |                |
2147482905 "saddrsel" 2147482906 "addr" 2147482907 "\0" (<-"security.jail.param.ip4.\0")


Conclusion, the output of sysctl is correct, of course a jail expert could update the descriptions to avoid confusion.

Comment 5 Mark Linimon freebsd_committer

2024-10-03 06:43:19 UTC

^Triage: clear stale flags.

To submitter: is this aging PR still relevant?