233262 – security.jail.param.children sysctls don't display correctly

Bug 233262 - security.jail.param.children sysctls don't display correctly

Summary: security.jail.param.children sysctls don't display correctly

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Jamie Gritton

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-11-16 23:25 UTC by Alan Somers
Modified:	2018-11-17 02:23 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alan Somers freebsd_committer

2018-11-16 23:25:27 UTC

The children.max jail parameter is supposed to show the maximum number of child jails allows by a jail, when using hierarchical jails.  From experiment, this parameter seems to work, but it's always displayed as 0.  The children.current parameter is supposed to be a read-only sysctl displaying the current number of children.  However it, too, always displays 0.  The jls command can correctly display these parameters for child jails, but I don't see any way to get them from within a jail.

Steps to reproduce:

[somers@fbsd12 ~]$ sudo jail -c name=foo host.hostname=foo children.max=99 persist
[somers@fbsd12 ~]$ jls -h jid name children.max children.cur    
jid name children.max children.cur
7 foo 99 0
[somers@fbsd12 ~]$ sudo jexec foo /bin/sh
# sysctl security.jail.param.children
security.jail.param.children.max: 0
security.jail.param.children.cur: 0
# jail -c name=bar host.hostname=bar persist
# sysctl security.jail.param.children
security.jail.param.children.max: 0
security.jail.param.children.cur: 0
# exit
[somers@fbsd12 ~]$ jls -h jid name children.max children.cur
jid name children.max children.cur
7 foo 99 1
8 foo.bar 0 0

Tested on 12.0-BETA4 and 12.0-CURRENT as of r340301.

Comment 1 Jamie Gritton freebsd_committer

2018-11-17 02:23:29 UTC

No, there's no way to get these parameter values from within a jail.  The security.jail.param.* sysctls were never there to show any jail values - I only used them because the sysctl system already exists, and they were a good way to relay dynamic parameters to e.g. libjail(3).

So there are two problems here.  The first is that I should probably find a way to provide the parameter-description function without putting them in the sysctl namespace, as the natural expectation of a useable value is a constant source of confusion.

The second is that there should be a standard way for a jail to discover certain things about itself.  For the allow.* parameters, there's an an-hoc set of sysctls that largely predate the modern jail_set(2) system, but there's generally no way to discover any other value.  Care needs to be taken here, as some parameters (such as path) are completely outside of the jail and not really the jail's business.  Many others (such as children.max) can be discovered easily enough in a cumbersome and roundabout way, so there's no reason not to present them in a clear fashion.