From csg@maelstrom.waterspout.com  Fri Oct 24 13:38:12 2003
Return-Path: <csg@maelstrom.waterspout.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0261516A4B3
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 24 Oct 2003 13:38:12 -0700 (PDT)
Received: from maelstrom.waterspout.com (rrcs-ma-24-56-74-54.biz.rr.com [24.56.74.54])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 86BCE43FCB
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 24 Oct 2003 13:38:10 -0700 (PDT)
	(envelope-from csg@maelstrom.waterspout.com)
Received: from maelstrom.waterspout.com (localhost [127.0.0.1])
	by maelstrom.waterspout.com (8.12.9p1/8.12.9) with ESMTP id h9OKboPH068465
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 24 Oct 2003 15:37:51 -0500 (CDT)
	(envelope-from csg@maelstrom.waterspout.com)
Received: (from csg@localhost)
	by maelstrom.waterspout.com (8.12.9p1/8.12.9/Submit) id h9OKbj4G068464;
	Fri, 24 Oct 2003 15:37:45 -0500 (CDT)
Message-Id: <200310242037.h9OKbj4G068464@maelstrom.waterspout.com>
Date: Fri, 24 Oct 2003 15:37:45 -0500 (CDT)
From: "C. Stephen Gunn" <csg@waterspout.com>
Reply-To: "C. Stephen Gunn" <csg@waterspout.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: sysctl knob to return current process' jid
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         58497
>Category:       kern
>Synopsis:       sysctl knob to return current process' jid
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Oct 24 13:40:12 PDT 2003
>Closed-Date:    Wed Apr 11 18:02:16 GMT 2007
>Last-Modified:  Wed Apr 11 18:02:16 GMT 2007
>Originator:     C. Stephen Gunn
>Release:        FreeBSD 5.1-CURRENT i386
>Organization:
WaterSpout Communications, Inc.
>Environment:

FreeBSD dual450.waterspout.com 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Sun Oct 19 21:57:46 CDT 2003     root@dual450.waterspout.com:/usr/src/sys/i386/compile/DUAL450  i386

>Description:
There is no easy way to tell if a process is operating in a Jail
environment.  This lever would be useful in /etc/rc to avoid
invocations of privledged commands (sysctl, mount, fsck, etc)
that are known to be prohibited in the jail.

I have other work against the /etc/rc subsystem that uses this
mechanism to avoid carping about operations that are not permitted.

>How-To-Repeat:
Start a jail and execute /etc/rc, watch all the errors and warnings,
fiddle with 'ps | grep ..J..' for a while trying to figure out
if you are currently in a jail.

>Fix:

The following patch (against current), adds a sysctl knob that returns
the jid of the calling process, or 0 when the process is not jailed.

http://www.waterspout.com/csg/patch/security_jail_jid.diff
MD5 (security_jail_jid.diff) = b4b6e0fa944271977c94688e76e9f372

>Release-Note:
>Audit-Trail:

From: "Poul-Henning Kamp" <phk@phk.freebsd.dk>
To: "C. Stephen Gunn" <csg@waterspout.com>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: kern/58497: sysctl knob to return current process' jid 
Date: Fri, 24 Oct 2003 22:57:39 +0200

 >There is no easy way to tell if a process is operating in a Jail
 >environment.
 
 Yes, in fact there is:
 
 #include <stdio.h>
 #include <sys/types.h>
 #include <sys/sysctl.h>
 #include <sys/param.h>
 #include <sys/user.h>
 
 /*
  * Exit 0 = no
  * Exit 1 = maybe
  * Exit 2 = yes
  */
 
 int
 main(int argc, char **argv)
 {
 	int mib[4];
 	int i, l;
 	struct kinfo_proc buf;
 
 	mib[0] = CTL_KERN;
 	mib[1] = KERN_PROC;
 	mib[2] = KERN_PROC_PID;
 	mib[3] = getpid();
 	l = sizeof buf;
 	i = sysctl(mib, 4, &buf, &l, NULL, 0);
 	if (i != 0 || l != sizeof buf)
 		exit(1);
 	if (buf.kp_proc.p_flag & P_JAILED)
 		exit(2);
 	exit (0);
 }
 
 -- 
 Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
 phk@FreeBSD.ORG         | TCP/IP since RFC 956
 FreeBSD committer       | BSD since 4.3-tahoe    
 Never attribute to malice what can adequately be explained by incompetence.

From: "C. Stephen Gunn" <csg@maelstrom.waterspout.com>
To: "Poul-Henning Kamp" <phk@phk.freebsd.dk>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: kern/58497: sysctl knob to return current process' jid 
Date: Fri, 24 Oct 2003 16:50:35 -0500

 On Fri, 24 Oct 2003 22:57:39 +0200, "Poul-Henning Kamp" wrote:
 
 > >There is no easy way to tell if a process is operating in a Jail
 > >environment.
 > 
 > Yes, in fact there is:
 
 Good point, my problem statemen was unnecessairly broad.  As we
 discussed on IRC, perhaps letting jail'd processes learn their
 jid servese no useful purpose, which might weaken security.
 
 For posterity, one way to detect if we're operating in a jail from
 the command line would be something like:
 
 INJAIL=`ps -p $$ | awk '$3 ~ /.*J/ { print "yes" };'`
 
 Unless someone sees other value in a sysctl to get the JID,
 someone can go ahead and resolve this request.  Thanks.
 
  - Steve
 

From: Gavin Atkinson <gavin.atkinson@ury.york.ac.uk>
To: bug-followup@FreeBSD.org, csg@waterspout.com
Cc:  
Subject: Re: kern/58497: sysctl knob to return current process' id
Date: Wed, 11 Apr 2007 18:23:35 +0100

 Submitter says this PR can now be closed.  There is also now the
 security.jail.jailed sysctl to achieve what the submitter originally
 requested.
State-Changed-From-To: open->closed 
State-Changed-By: remko 
State-Changed-When: Wed Apr 11 18:02:14 UTC 2007 
State-Changed-Why:  
Gavin replies that this pr can be closed, make it happen. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=58497 
>Unformatted:
