00:04:20 Re your first question; "sysctl -ad | grep -F security.jail" is what I'd use. Re your second: is setting it in jail.conf an option? 00:09:00 I didn't succedd to put this option in /etc/jail.conf.d I ever tried to give this file with -f option. It doesn't work. The only thing which works is to set the variable in the host. But this allow the option for all jails . 00:09:57 Then I don't know. 00:10:23 Do you have an exemple of /etc/jail.conf ? 00:11:54 is these option could be given to each jails or are global to all jails ? 00:12:27 See the manual page for jail.conf. 00:12:48 Yes I saw this 00:13:00 man jail, man jail.conf etc... 00:19:40 allow.raw_sockets = "1"; 00:19:46 What FreeBSD version are using? The way I read the manual pages, that should be possible on 13.x. 00:20:02 that is what i use in my per-jail configs 00:22:58 well I have removed what I ve done in /etc/jails/conf.d and rewrite /etc/jail.conf as given as example with option I want. It works 00:23:01 Thanks 00:23:22 allow_raw_sockets works now 00:23:49 Glad to hear it. 00:25:31 doc is not very clear for a newbie 00:33:50 Hi guys, someone knows if is possible to restrict certain syscalls just for a third party binary? 00:42:18 Restrict which syscalls in which ways? Depending on what you want specifically, jails may work for you. For a finer-grained but harder to implement way, capsicum(4) may be the answer. 01:50:56 With Google Domains now being sold to Squarespace, I'm looking for a new DNS provider. Anyone have any reccomendations ? 01:53:38 s/DNS provider/domain registrar/ 03:07:54 V_PauAmma_V exec() for example. As far as I know, to use capsicum(4) I need to have access to source code, similar pledge on OpenBSD. But it is a binary that I don't have access to their code, for this reason I would like to block access to this systemcall just for this application. The binary is already in a Jail. But I would like to close even more. 04:04:51 devnull, you could leave no other executable file in that jail. Then it won't have anything to exec. 04:19:32 V_PauAmma_V yes, but I wouldn't want to install a jail just for that app. This app works with apache, I would have to install another apache in that jail on another port. I will, if there is no other way to block the open() and exec() systemcalls. If I block at the kernel level, it blocks system-wide, not for just an application. 04:23:59 did anyone try QuBSD, which is software added onto FreeBSD? 04:25:27 i would imagine the creators did 04:36:47 Then I don't know. Or can't think, maybe. 07:09:13 mns: namecheap has served me well enough 07:09:59 devnull: works with apache? is it an apache module? 07:10:54 devnull: have you heard of LD_PRELOAD ? 07:11:06 https://catonmat.net/simple-ld-preload-tutorial 07:11:07 Title: A Simple LD_PRELOAD Tutorial 07:12:41 why are 99% of all jails managers written in shell? why is a Qubes inspired jails manager written in shell? 07:14:05 meena, Is that a trick question? Either that, or you want to have a rant on. I am here for either 07:15:24 somebody asked if anyone's tried https://github.com/BawdyAnarchist/quBSD so i went looking, and got instant disappointment 07:15:25 Title: GitHub - BawdyAnarchist/quBSD: A FreeBSD jails and bhyve wrapper; which emulates a Qubes-like containerization schema 07:15:42 well, shell is easy or something similar, at least you won't notice that your code is totaly broken until it is far too late 07:15:46 tbf: al our other Interfaces are piss poor 07:18:50 there's jail(3lua), but then you have nothing for ZFS 07:19:55 just link to libzfs_core.so directly 07:20:04 there's always an intrface 07:21:18 I throught there was something, how does loader support zfs? 07:22:34 libzfs_core.so is not API stable, which is why we don't expose it 07:22:53 otoh, we don't expose flua either 07:35:51 meena: is libzfs_core.h being in /usr/include not enough for "exposing"? 07:44:58 devnull: if this is a php application, you can use https://www.php.net/manual/en/ini.core.php#ini.open-basedir as a start 07:45:00 Title: PHP: Description of core php.ini directives - Manual 07:45:45 I wonder how hard it would be to write a mac(9) module to generalise syscall filtering 07:46:06 check for mac_curtain in reviews 07:47:00 devnull: also, if it is a php application, please use fpm instead of Apache Httpd for running it… 07:59:23 bapt: are they using sysctl for configuring it? 10:08:20 meena: regarding things being in shell, I think sometimes it's also about them having no extra dependencies? Either that, then I dunno. 11:05:03 kenrap: flua is in Base, but i it is quite limited so far 11:06:45 I see, gotcha 13:08:34 rtprio: Thanks. I did look at them. Also looked at Cloudflare, and am going to go with Cloudflare. Price is cheaper, plus I am familiar with their infrastructure from work so that helps. 14:28:32 devnull: privilege separation is near impossible if you use the mod_php DSO, as meena stated. 14:44:25 meena altho I do use flua and libzfsc in prod :))) 14:44:36 antranigv: good. good. 14:45:01 meena has not bitten us yet :D but I expect it would if we do a major release change? 14:45:54 antranigv: libzfs_core does change quite frequently, but we haven't had a big import in a while… are you doing this on CURRENT? 14:51:57 meena: any examples of libzfs_core changing? libzfs changes, yes, libzfs_core is versioned (at least in illumos and by mistake, but still) 14:52:24 hah… 14:53:19 yuripv: did i get it wrong? is it the other way around? 14:53:35 yes, likely you meant the other way round 14:53:55 libzfs is unstable 14:56:27 https://www.illumos.org/issues/2882 doesn't say anything about stable API and blog link is dead 14:56:28 Title: Feature #2882: implement libzfs_core - illumos gate - illumos 14:57:04 but somehow library map file was getting updated with public versions :D 15:19:43 meena its a third party framework integrated to IBM WebSphere Application Server, that works with apache. php isn't involved. I'm reading about seccomp bpf filter, but despite the name (Berkeley Packet Filter), it is not available to FreeBSD. In this tool, I specify in a .json file a profile that blocks certain systemcalls and I call seccomp linking my application and the policy. Very interesting. 15:26:33 bpf is a language that was invented for snooping on network traffic, but linux has repurposed it for other things 15:27:05 RhodiumToad yes, so weird 15:27:10 it has the feature of not being turing-complete by way of not having any looping constructs 15:28:47 I like the concept, although the implementation is weird and questionable. 15:30:24 devnull: if you're looking for a seccomp-ish thing on freebsd, look at capsicum 15:30:29 that's the standard go-to. 15:33:11 dstolfa yes, but it is a third party application, I havent access the source code. To use capsicum, I need to modify the source code, as far as I know. 15:33:24 yup, that is correct 15:34:43 write libc wrapper and use libmap.conf for that binary 15:35:31 yuk 15:35:39 :D 15:36:45 test mac_curtain! 15:40:41 yuripv but without source code access? As far as I know I would need to modify the system library and dynamic linker to do this. But without source code isn't possible. But I will search more about this. Thanks. 15:41:55 meena mac_curtain change the behavior of all system, not for an isolated application. Or I'm worong? 15:41:58 you don't need the app source, libmap.conf would allow you to redirect the binary to another libc (but there are certainly better solutions!) 15:42:34 yuripv wow, thanks! I will research more about it 15:42:47 pretty sure someone had a PoC for capsicum-wrapping a black box 15:43:57 there was at least a GSoC project about it: https://wiki.freebsd.org/SummerOfCode2018Projects/ObliviousSandboxingwithCapsicum but I feel like there was something else I'm remembering 15:43:58 Title: SummerOfCode2018Projects/ObliviousSandboxingwithCapsicum - FreeBSD Wiki 15:44:52 kevans and about pledge on OpenBSD? It seems to me to have interesting restriction features, maybe even more than capsicum. 15:47:25 devnull: i reckon mac_curtain will be configurable. all the other mac modules are 15:48:08 meena thanks, I will research about it too :D 15:54:01 devnull: https://reviews.freebsd.org/D34761 15:54:03 Title: ⚙ D34761 mac_curtain infrastructure: syscall filters 16:19:15 seems to be an year without updates 16:27:10 meena interesting, thanks to share 17:23:00 RhodiumToad: who needs looping anyway? What's it ever done for us? 17:23:44 devnull: jails exist for your exact use-case 17:23:50 and they have for.. quite a bit of time :) 17:31:06 debdrup yes. But I already use a jail with apache. I don't want to have another jail with another apache (listening on another external port) with IBM WebSphere Application Server. 17:32:06 devnull: why not? Back in the mid-2000s, I was running a few thousand jails on an Alpha server - considering how much faster systems are nowadays, I can't imagine how many jails you could run in total 17:33:04 one would hope no significant code paths have to iterate over all jails 17:37:18 I'll study the other solutions from colleagues, but if I can't, I'll do it. I use many jails, but one jail for each service (apache, mariadb, ircd). In that case I would need another jail with another apache listening on another port. It's not difficult, resources wouldn't be a problem either, but if there was an alternative for me to do this in the same apache jail, it would be interesting. 17:43:33 But you're right. Maybe I'm making a process difficult that I could do in a simple way using another jail with another apache/IBM App anyway xP 17:43:47 Still, I'm interested in the knowledge about syscall isolation on proccess. 18:18:43 Anyone knows how to fix this? ld: error: unable to find library -lsupc++ 18:18:48 I've never seen supc++ before 18:21:24 antranigv lsupc++ no, but -lsup yes, it is a C library that uses libsup.so 18:21:43 devnull is that a Linux specific thing? 18:23:41 hm, found "Libsupc++ is a support library for g++ that contains functions dealing with run-time type information (RTTI) and exception handling.", so maybe compile with gcc 18:25:47 antranigv gcc thing. 18:25:52 antranigv https://gcc.gnu.org/onlinedocs/libstdc++/faq.html#2_5 18:25:53 Title: Frequently Asked Questions 18:26:05 topic "What's libsupc++?" 18:27:27 reads like it is manual ahead of time garbage collection for some libc++ functions, so probably better to drop it and instead tell your linker to remove functions that aren't needed (?) 18:32:47 Yeah, it is a try. 18:33:02 who needs garbage collection anyway? What's it ever done for us? 18:37:53 meena indeed 18:38:20 aside from writing code, are there other ways to volunteer on the project? i'm looking at the "marketing" page with a fresh presentation from 2005. something like an outreach or comms team? it's not clear to me how to get plugged in to the non-code side of things. 18:40:40 https://docs.freebsd.org/en/articles/contributing/ 18:40:41 Title: Contributing to FreeBSD | FreeBSD Documentation Portal 18:44:58 thanks 18:51:50 markmcb: if this article is not enough, send an email to me 'carlavilla⊙Fo' and I'll try to help you 18:55:23 ok, will do. i've got a few questions beyond the scope of the article. thanks! 18:56:18 np 19:21:15 devnull thanks! I just finished porting that software :) 19:21:23 anyone knows if Jails have any specific ulimits? 19:40:52 antranigv: jails have, or can have their own /etc/login.conf 20:21:32 I'd be grateful if someone could share a link they like for handling asymmetric bandwidth in IPFW. 20:59:36 good afternoon is there a dedicated channel for bhyve or can i just ask my question here ? 21:03:25 bsdbandit01_: What is your question on bhyve? 21:08:33 is there a way for me to use an ova file with freebsd bhyve 21:09:12 i downloaded a custom vm that was saved as an ova file 21:11:34 bsdbandit01_: To use an OVA file with Bhyve, you typically need to extract the contents of the OVA package and convert the virtual machine image to a format supported by Bhyve, such as RAW or qcow2. 21:12:37 gotcha 21:18:07 do you know of a tool that i can use for freebsd that can extract an ova ELPolako ? 21:19:00 ive been googling and people on the forums say that it can be done but have never done it 21:19:05 bsdbandit01_: Use an archiving tool like 7-Zip or tar to extract the contents of the OVA file. 21:19:15 ok 21:19:17 thanks 21:19:39 np 22:04:44 Interesting. Is this still accurate? https://forums.freebsd.org/threads/prioritize-empty-ack-packets-with-ipfw.23855/ It's saying ipfw lacks a mechanism to prioritize certain packets. But it's also 13 years old. 22:04:45 Title: Prioritize empty ack packets with ipfw? | The FreeBSD Forums 22:09:34 mason: any way to quickly check the code? 22:10:07 meena: I'm not sure what to look for, or I could. I'm seeing descriptions of it for pf, but not for ipfw. 22:11:28 mason: if the two are using a common implementation for those code paths, then ipfw might support it, but someone forgot to document it 22:11:54 It's possible, yeah. My understanding is that pf in FreeBSD has diverged significantly. 22:12:07 https://docstore.mik.ua/manuals/openbsd/faq/pf/queueing.html#priq fwiw 22:12:08 Title: PF: Packet Queueing and Prioritization 22:13:49 This is hopeful: https://man.freebsd.org/cgi/man.cgi?query=altq&sektion=4&format=html 22:13:50 Title: altq(4) 22:16:25 Hm, the handbook diverges a bit, https://people.freebsd.org/~blackend/en_US.ISO8859-1/books/handbook/firewalls-pf.html vs https://docs.freebsd.org/en/books/handbook/firewalls/#firewalls-pf 22:16:27 Title: 29.4.�PF and ALTQ 22:20:21 how old is that first version? 22:27:08 Unsure, but it indicates "new enough" in that OpenBSD PF at the point noted already had altq integration. 22:27:21 That said, it seems like maybe it's possible with ipfw as well, which would be ideal. 22:29:38 what are you trying to do? 22:30:43 meena: I'm moving from symmetric to asymmetric Internet at home - paying more for less. I want to make sure the asymmetric bandwidth doesn't cause problems, which I've observed in the past. 23:08:01 mason: you peg your connection that often for it to be a problem? 23:09:08 rtprio: It's happened in the past, and it's Hell on meetings and interactive shell sessions. 23:09:49 I'd like to do something slicker than I had last time I had an asymmetric connection. Seems reasonable, no? 23:14:26 i've used pf and ipfw to do it in the past, usually didn't notice a difference with or without it 23:37:00 rtprio: What did you use for the priority management and traffic shaping? 23:41:17 Looks like my option is going to be pf/altq. I imagine pf won't be too wildly far afield for me, since my first firewalling language was ipf.