Bug 229968 - jail can see other interfaces in linprocfs
Summary: jail can see other interfaces in linprocfs
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 11.2-RELEASE
Hardware: amd64 Any
: --- Affects Only Me
Assignee: freebsd-jail (Nobody)
URL:
Keywords:
Depends on:
Blocks: 247219
  Show dependency treegraph
 
Reported: 2018-07-22 18:27 UTC by Jason Mader
Modified: 2020-10-14 15:42 UTC (History)
8 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Mader 2018-07-22 18:27:15 UTC 
I hope I'm not missing something, but in a jail using Linux compatibility, 

jail {
  interface = ix1;
  linux = new;
  mount.fstab = /var/jail/etc/fstab;
}

/var/jail/etc/fstab:
linprocfs /var/jail/compat/linux/proc linprocfs rw 0 0

It appears that the jail can see the ix0 interface on the host. I would have thought it would see ix1 mapped as eth0 only.

 NAMI  "/compat/linux/proc/net/dev"
 GIO   fd 4 read 571 bytes
       "Inter-|                                                   Receive|  Transmit
	  face|bytes    packets errs drop fifo frame compressed multicast|  bytes    packets errs drop fifo colls carrier compressed
	  eth0:  400275    5236    0    0    0     0          0         1   668562    4589    0    0    0     0       0          0
	  eth1:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
	   lo0:  208242    1115    0    0    0     0          0         0   208242    1115    0    0    0     0       0          0
       "
Comment 1 Conrad Meyer freebsd_committer freebsd_triage 2018-07-22 19:01:32 UTC 
linprocfs_donetdev() does no filtering for jails, but probably should.

In fact, the only linprocfs routine that does any jail-specific behavior appears to be linprocfs_doprocroot() (proc/pid/root).  I.e., it seems like proc/pid may show processes outside the jail, too.
Comment 2 Shawn Webb 2018-07-22 20:20:25 UTC 
I'm not seeing processes outside the jail:

mutt-hbsd[shawn]:/mnt $ ls -al
total 9
dr-xr-xr-x   1 root   wheel   0 Jul 22 16:18 .
drwxr-xr-x  18 root   wheel  22 Jul 11 13:22 ..
dr-xr-xr-x   1 shawn  shawn   0 Jul 22 16:18 2054
dr-xr-xr-x   1 shawn  shawn   0 Jul 22 16:18 30443
dr-xr-xr-x   1 shawn  shawn   0 Jul 22 16:18 37567
dr-xr-xr-x   1 shawn  shawn   0 Jul 22 16:18 50606
dr-xr-xr-x   1 shawn  shawn   0 Jul 22 16:18 51623
dr-xr-xr-x   1 shawn  shawn   0 Jul 22 16:18 61613
-r--r--r--   1 root   wheel   0 Jul 22 16:18 cmdline
-r--r--r--   1 root   wheel   0 Jul 22 16:18 cpuinfo
-r--r--r--   1 root   wheel   0 Jul 22 16:18 devices
-r--r--r--   1 root   wheel   0 Jul 22 16:18 filesystems
-r--r--r--   1 root   wheel   0 Jul 22 16:18 loadavg
-r--r--r--   1 root   wheel   0 Jul 22 16:18 meminfo
-r--r--r--   1 root   wheel   0 Jul 22 16:18 mounts
-r--r--r--   1 root   wheel   0 Jul 22 16:18 mtab
dr-xr-xr-x   1 root   wheel   0 Jul 22 16:18 net
-r--r--r--   1 root   wheel   0 Jul 22 16:18 partitions
dr-xr-xr-x   1 root   wheel   0 Jul 22 16:18 scsi
lr--r--r--   1 root   wheel   0 Jul 22 16:18 self -> 50606
-r--r--r--   1 root   wheel   0 Jul 22 16:18 stat
-r--r--r--   1 root   wheel   0 Jul 22 16:18 swaps
dr-xr-xr-x   1 root   wheel   0 Jul 22 16:18 sys
-r--r--r--   1 root   wheel   0 Jul 22 16:18 uptime
-r--r--r--   1 root   wheel   0 Jul 22 16:18 version
mutt-hbsd[shawn]:/mnt $ sysctl security.jail.jailed
security.jail.jailed: 1
Comment 3 Jamie Gritton freebsd_committer freebsd_triage 2018-07-23 15:02:01 UTC 
Jails don't hide interfaces, only IP addresses.  While there are interfaces specified in jail.conf, that's only for the convenience of adding the jail's IP address as an alias on that interface when the jail is created.

This isn't Linuxulator-specific.  ifconfig will also show all interfaces, just without any non-jail IP addresses.
Comment 4 Jason Mader 2018-07-23 15:24:20 UTC 
(In reply to Jamie Gritton from comment #3)

There is an odd behavior with IP aliases. If two jails use the same address,

first {
  interface = ix0;
  ip4.addr = 192.0.2.1;
}
second {
  interface = ix0;
  ip4.addr = 192.0.2.1;
}

When either jail is started, the IP aliases are created. When either jail is stopped, the IP aliases are removed; even if the other jail is still running.
Comment 5 Bjoern A. Zeeb freebsd_committer freebsd_triage 2018-07-23 16:49:45 UTC 
(In reply to Jason Mader from comment #4)

that is a totally different issue;  that's using a hack badly; sorry.  Classic jails don't care about interfaces (as Jamie said) and the hack to do the provisioning is simply calling ifconfig on start/stop.  There is no "state" or refcounting involved.  In those cases I usually provision the IP aliases using the base system configuration rather than ab-using the jail-trying-to-be-helpful logic for this.
Comment 6 Bjoern A. Zeeb freebsd_committer freebsd_triage 2018-07-23 16:52:34 UTC 
(In reply to Jamie Gritton from comment #3)

There is a point that we should zero the statistics for non-IPs for queries from jails to not leak that information (as so many other things) and then only for the jail-IPs keep them.

Two jails sharing an IP address might still be able to derive that there is another one, etc.;  on the other hand, jails were never meant to be that perfect.


For a moment I thought we might even go the long way and if there is no IP for the jail on an interface, ditch the entire interface but the logic to hide a little detail grows quickly.

The linprocfs should however never expose more than the native tools and for as long as that's true, I am ok with whatever linprocfs exports.
Comment 7 Shawn Webb 2018-07-23 16:57:43 UTC 
(In reply to Bjoern A. Zeeb from comment #6)
A workaround would be to use epair devices with jails. It would be nice to be on par with Solaris Crossbow and Zones with complete jail isolation. Making epair the preferred method of jail networking would bring us closer to that dream. :)
Comment 8 james 2018-10-20 19:20:45 UTC 
MARKED AS SPAM