Re your first question; "sysctl -ad | grep -F security.jail" is what I'd use. Re your second: is setting it in jail.conf an option?

I didn't succedd to put this option in /etc/jail.conf.d I ever tried to give this file with -f option. It doesn't work. The only thing which works is to set the variable in the host. But this allow the option for all jails .

Then I don't know.

Do you have an exemple of /etc/jail.conf ?

is these option could be given to each jails or are global to all jails ?

See the manual page for jail.conf.

Yes I saw this

man jail, man jail.conf etc...

allow.raw_sockets = "1";

What FreeBSD version are using? The way I read the manual pages, that should be possible on 13.x.

that is what i use in my per-jail configs

well I have removed what I ve done in /etc/jails/conf.d and rewrite /etc/jail.conf as given as example with option I want. It works

Thanks

allow_raw_sockets works now

Glad to hear it.

doc is not very clear for a newbie

Hi guys, someone knows if is possible to restrict certain syscalls just for a third party binary?

Restrict which syscalls in which ways? Depending on what you want specifically, jails may work for you. For a finer-grained but harder to implement way, capsicum(4) may be the answer.

With Google Domains now being sold to Squarespace, I'm looking for a new DNS provider. Anyone have any reccomendations ?

s/DNS provider/domain registrar/

V_PauAmma_V exec() for example. As far as I know, to use capsicum(4) I need to have access to source code, similar pledge on OpenBSD. But it is a binary that I don't have access to their code, for this reason I would like to block access to this systemcall just for this application. The binary is already in a Jail. But I would like to close even more.

devnull, you could leave no other executable file in that jail. Then it won't have anything to exec.

V_PauAmma_V yes, but I wouldn't want to install a jail just for that app. This app works with apache, I would have to install another apache in that jail on another port. I will, if there is no other way to block the open() and exec() systemcalls. If I block at the kernel level, it blocks system-wide, not for just an application.

did anyone try QuBSD, which is software added onto FreeBSD?

i would imagine the creators did

Then I don't know. Or can't think, maybe.

mns: namecheap has served me well enough

devnull: works with apache? is it an apache module?

devnull: have you heard of LD_PRELOAD ?

Title: A Simple LD_PRELOAD Tutorial

why are 99% of all jails managers written in shell? why is a Qubes inspired jails manager written in shell?

meena, Is that a trick question? Either that, or you want to have a rant on. I am here for either

somebody asked if anyone's tried github.com/BawdyAnarchist/quBSD so i went looking, and got instant disappointment

Title: GitHub - BawdyAnarchist/quBSD: A FreeBSD jails and bhyve wrapper; which emulates a Qubes-like containerization schema

well, shell is easy or something similar, at least you won't notice that your code is totaly broken until it is far too late

tbf: al our other Interfaces are piss poor

there's jail(3lua), but then you have nothing for ZFS

just link to libzfs_core.so directly

there's always an intrface

I throught there was something, how does loader support zfs?

libzfs_core.so is not API stable, which is why we don't expose it

otoh, we don't expose flua either

meena: is libzfs_core.h being in /usr/include not enough for "exposing"?

devnull: if this is a php application, you can use php.net/manual/en/ini.core.php#ini.open-basedir as a start

Title: PHP: Description of core php.ini directives - Manual

I wonder how hard it would be to write a mac(9) module to generalise syscall filtering

check for mac_curtain in reviews

devnull: also, if it is a php application, please use fpm instead of Apache Httpd for running it…

bapt: are they using sysctl for configuring it?

meena: regarding things being in shell, I think sometimes it's also about them having no extra dependencies? Either that, then I dunno.

kenrap: flua is in Base, but i it is quite limited so far

I see, gotcha

rtprio: Thanks. I did look at them. Also looked at Cloudflare, and am going to go with Cloudflare. Price is cheaper, plus I am familiar with their infrastructure from work so that helps.

devnull: privilege separation is near impossible if you use the mod_php DSO, as meena stated.

meena altho I do use flua and libzfsc in prod :)))

antranigv: good. good.

meena has not bitten us yet :D but I expect it would if we do a major release change?

antranigv: libzfs_core does change quite frequently, but we haven't had a big import in a while… are you doing this on CURRENT?

meena: any examples of libzfs_core changing? libzfs changes, yes, libzfs_core is versioned (at least in illumos and by mistake, but still)

hah…

yuripv: did i get it wrong? is it the other way around?

yes, likely you meant the other way round

libzfs is unstable

illumos.org/issues/2882 doesn't say anything about stable API and blog link is dead

Title: Feature #2882: implement libzfs_core - illumos gate - illumos

but somehow library map file was getting updated with public versions :D

meena its a third party framework integrated to IBM WebSphere Application Server, that works with apache. php isn't involved. I'm reading about seccomp bpf filter, but despite the name (Berkeley Packet Filter), it is not available to FreeBSD. In this tool, I specify in a .json file a profile that blocks certain systemcalls and I call seccomp linking my application and the policy. Very interesting.

bpf is a language that was invented for snooping on network traffic, but linux has repurposed it for other things

RhodiumToad yes, so weird

it has the feature of not being turing-complete by way of not having any looping constructs

I like the concept, although the implementation is weird and questionable.

devnull: if you're looking for a seccomp-ish thing on freebsd, look at capsicum

that's the standard go-to.

dstolfa yes, but it is a third party application, I havent access the source code. To use capsicum, I need to modify the source code, as far as I know.

yup, that is correct

write libc wrapper and use libmap.conf for that binary

yuk

:D

test mac_curtain!

yuripv but without source code access? As far as I know I would need to modify the system library and dynamic linker to do this. But without source code isn't possible. But I will search more about this. Thanks.

meena mac_curtain change the behavior of all system, not for an isolated application. Or I'm worong?

you don't need the app source, libmap.conf would allow you to redirect the binary to another libc (but there are certainly better solutions!)

yuripv wow, thanks! I will research more about it

pretty sure someone had a PoC for capsicum-wrapping a black box

there was at least a GSoC project about it: wiki.freebsd.org/SummerOfCode2018Pr…cts/ObliviousSandboxingwithCapsicum but I feel like there was something else I'm remembering

Title: SummerOfCode2018Projects/ObliviousSandboxingwithCapsicum - FreeBSD Wiki

kevans and about pledge on OpenBSD? It seems to me to have interesting restriction features, maybe even more than capsicum.

devnull: i reckon mac_curtain will be configurable. all the other mac modules are

meena thanks, I will research about it too :D

devnull: reviews.freebsd.org/D34761

Title: ⚙ D34761 mac_curtain infrastructure: syscall filters

seems to be an year without updates

meena interesting, thanks to share

RhodiumToad: who needs looping anyway? What's it ever done for us?

devnull: jails exist for your exact use-case

and they have for.. quite a bit of time :)

debdrup yes. But I already use a jail with apache. I don't want to have another jail with another apache (listening on another external port) with IBM WebSphere Application Server.

devnull: why not? Back in the mid-2000s, I was running a few thousand jails on an Alpha server - considering how much faster systems are nowadays, I can't imagine how many jails you could run in total

one would hope no significant code paths have to iterate over all jails

I'll study the other solutions from colleagues, but if I can't, I'll do it. I use many jails, but one jail for each service (apache, mariadb, ircd). In that case I would need another jail with another apache listening on another port. It's not difficult, resources wouldn't be a problem either, but if there was an alternative for me to do this in the same apache jail, it would be interesting.

But you're right. Maybe I'm making a process difficult that I could do in a simple way using another jail with another apache/IBM App anyway xP

Still, I'm interested in the knowledge about syscall isolation on proccess.

Anyone knows how to fix this? ld: error: unable to find library -lsupc++

I've never seen supc++ before

antranigv lsupc++ no, but -lsup yes, it is a C library that uses libsup.so

devnull is that a Linux specific thing?

hm, found "Libsupc++ is a support library for g++ that contains functions dealing with run-time type information (RTTI) and exception handling.", so maybe compile with gcc

antranigv gcc thing.

antranigv gcc.gnu.org/onlinedocs/libstdc++/faq.html#2_5

Title: Frequently Asked Questions

topic "What's libsupc++?"

reads like it is manual ahead of time garbage collection for some libc++ functions, so probably better to drop it and instead tell your linker to remove functions that aren't needed (?)

Yeah, it is a try.

who needs garbage collection anyway? What's it ever done for us?

meena indeed

aside from writing code, are there other ways to volunteer on the project? i'm looking at the "marketing" page with a fresh presentation from 2005. something like an outreach or comms team? it's not clear to me how to get plugged in to the non-code side of things.

Title: Contributing to FreeBSD | FreeBSD Documentation Portal

thanks

markmcb: if this article is not enough, send an email to me 'carlavilla⊙Fo' and I'll try to help you

ok, will do. i've got a few questions beyond the scope of the article. thanks!

np

devnull thanks! I just finished porting that software :)

anyone knows if Jails have any specific ulimits?

antranigv: jails have, or can have their own /etc/login.conf

I'd be grateful if someone could share a link they like for handling asymmetric bandwidth in IPFW.

good afternoon is there a dedicated channel for bhyve or can i just ask my question here ?

bsdbandit01_: What is your question on bhyve?

is there a way for me to use an ova file with freebsd bhyve

i downloaded a custom vm that was saved as an ova file

bsdbandit01_: To use an OVA file with Bhyve, you typically need to extract the contents of the OVA package and convert the virtual machine image to a format supported by Bhyve, such as RAW or qcow2.

gotcha

do you know of a tool that i can use for freebsd that can extract an ova ELPolako ?

ive been googling and people on the forums say that it can be done but have never done it

bsdbandit01_: Use an archiving tool like 7-Zip or tar to extract the contents of the OVA file.

ok

thanks

np

Interesting. Is this still accurate? forums.freebsd.org/threads/prioriti…e-empty-ack-packets-with-ipfw.23855 It's saying ipfw lacks a mechanism to prioritize certain packets. But it's also 13 years old.

Title: Prioritize empty ack packets with ipfw? | The FreeBSD Forums

mason: any way to quickly check the code?

meena: I'm not sure what to look for, or I could. I'm seeing descriptions of it for pf, but not for ipfw.

mason: if the two are using a common implementation for those code paths, then ipfw might support it, but someone forgot to document it

It's possible, yeah. My understanding is that pf in FreeBSD has diverged significantly.

docstore.mik.ua/manuals/openbsd/faq/pf/queueing.html#priq fwiw

Title: PF: Packet Queueing and Prioritization

This is hopeful: man.freebsd.org/cgi/man.cgi?query=altq&sektion=4&format=html

Title: altq(4)

Hm, the handbook diverges a bit, people.freebsd.org/~blackend/en_US.…-1/books/handbook/firewalls-pf.html vs docs.freebsd.org/en/books/handbook/firewalls/#firewalls-pf

Title: 29.4.�PF and ALTQ

how old is that first version?

Unsure, but it indicates "new enough" in that OpenBSD PF at the point noted already had altq integration.

That said, it seems like maybe it's possible with ipfw as well, which would be ideal.

what are you trying to do?

meena: I'm moving from symmetric to asymmetric Internet at home - paying more for less. I want to make sure the asymmetric bandwidth doesn't cause problems, which I've observed in the past.

mason: you peg your connection that often for it to be a problem?

rtprio: It's happened in the past, and it's Hell on meetings and interactive shell sessions.

I'd like to do something slicker than I had last time I had an asymmetric connection. Seems reasonable, no?

i've used pf and ipfw to do it in the past, usually didn't notice a difference with or without it

rtprio: What did you use for the priority management and traffic shaping?

Looks like my option is going to be pf/altq. I imagine pf won't be too wildly far afield for me, since my first firewalling language was ipf.