dlangille · October 24, 2019 15:50 · dlangille · Oct 24, 2019 · dlangille · Oct 24, 2019
diff --git a/0 - the background b/0 - the background
 [Oct 24 06:55]  <debdrup>	dvl: an addendum to your post; you should avoid using allow_sysvipc and instead 
                          use the sysvmsg, sysvshm, and sysvsem properties (ie. set them to new).

 [Oct 24 06:56]  <debdrup>	with allow_sysvipc the SysV IPC is still shared with the host, whereas the new 
                          properties isolate SysV IPC to per-jail
diff --git a/1 - man iocage b/1 - man iocage
 From man iocage:

 Note sysvmsg, sysvsem, and sysvshm are disabled by default.


     allow_sysvipc=[1 | 0]
                   Set whether a process in the jail has access to System V
                   IPC primitives.  Prior to FreeBSD 11.0, System V primitives
                   share a single namespace across the host and jail
                   environments, meaning that processes within a jail would be
                   able to communicate with, and potentially interfere with,
                   processes outside of the jail, or in other jails.  In
                   FreeBSD 11.0 and later, this setting is deprecated.  Use
                   sysvmsg, sysvsem, and sysvshm instead.

                   Default: 0

                   Source: jail(8)

     sysvmsg=[disable | inherit | new]
                   Allow access to SYSV IPC message primitives.  When set to
                   inherit, all IPC objects on the system are visible to this
                   jail, whether they were created by the jail itself, the
                   base system, or other jails.  When set to new, the jail has
                   its own key namespace, and can only see the objects that it
                   has created.  The system or parent jail has access to the
                   jail's objects, but not to its keys.  When set to disable,
                   the jail cannot perform any sysvmsg-related system calls.
                   Ignored in FreeBSD 10.3 and earlier.

                   Default: disable

                   Source: jail(8)

     sysvsem=[disable | inherit | new]
                   Allow access to SYSV IPC semaphore primitives in the same
                   manner as sysvmsg.  Ignored in FreeBSD 10.3 and earlier.

                   Default: disable

                   Source: jail(8)

     sysvshm=[disable | inherit | new]
                   Allow access to SYSV IPC shared memory primitives in the
                   same manner as sysvmsg.  Ignored in FreeBSD 10.3 and
                   earlier.

                   Default: disable

                   Source: jail(8)

diff --git a/2 - changing b/2 - changing
 [dan@r710-01:~] $ iocage get all pkg01 | grep sysv  
 allow_sysvipc:1
 sysvmsg:new
 sysvsem:new
 sysvshm:new

 # note already set to new

 [dan@r710-01:~] $ sudo iocage set allow_sysvipc=0 pkg01
 allow_sysvipc: 1 -> 0

 [dan@r710-01:~] $ iocage get all pkg01 | grep sysv
 allow_sysvipc:0
 sysvmsg:new
 sysvsem:new
 sysvshm:new
 [dan@r710-01:~] $ 
diff --git a/3 - After restarting b/3 - After restarting
 [dan@r710-01:~] $ jls -n -j 82
 devfs_ruleset=9 nodying enforce_statfs=1 host=new ip4=inherit ip6=inherit jid=82 linux=new name=ioc-pkg01 
 osreldate=1200086 osrelease=12.0-RELEASE-p10 parent=0 path=/iocage/jails/pkg01/root persist securelevel=-1 
 sysvmsg=new sysvsem=new sysvshm=new vnet=new allow.chflags allow.nomlock allow.mount allow.mount.devfs 
 allow.mount.nofdescfs allow.mount.linprocfs allow.mount.nullfs allow.mount.procfs allow.mount.tmpfs 
 allow.mount.zfs allow.noquotas allow.raw_sockets allow.noread_msgbuf allow.reserved_ports allow.set_hostname 
 allow.socket_af allow.nosysvipc children.cur=0 children.max=100 cpuset.id=4 host.domainname=none host.hostid=0
 host.hostname=pkg01.int.unixathome.org host.hostuuid=pkg01 ip4.addr= ip4.saddrsel ip6.addr= ip6.saddrsel 
 linux.osname=Linux linux.osrelease=2.6.32 linux.oss_version=198144
 [dan@r710-01:~] $ 


 NOTE: sysvmsg=new sysvsem=new sysvshm=new on line 3 above
	[Oct 24 06:55] <debdrup> dvl: an addendum to your post; you should avoid using allow_sysvipc and instead
	use the sysvmsg, sysvshm, and sysvsem properties (ie. set them to new).

	[Oct 24 06:56] <debdrup> with allow_sysvipc the SysV IPC is still shared with the host, whereas the new
	properties isolate SysV IPC to per-jail
	From man iocage:

	Note sysvmsg, sysvsem, and sysvshm are disabled by default.


	allow_sysvipc=[1 \| 0]
	Set whether a process in the jail has access to System V
	IPC primitives. Prior to FreeBSD 11.0, System V primitives
	share a single namespace across the host and jail
	environments, meaning that processes within a jail would be
	able to communicate with, and potentially interfere with,
	processes outside of the jail, or in other jails. In
	FreeBSD 11.0 and later, this setting is deprecated. Use
	sysvmsg, sysvsem, and sysvshm instead.

	Default: 0

	Source: jail(8)

	sysvmsg=[disable \| inherit \| new]
	Allow access to SYSV IPC message primitives. When set to
	inherit, all IPC objects on the system are visible to this
	jail, whether they were created by the jail itself, the
	base system, or other jails. When set to new, the jail has
	its own key namespace, and can only see the objects that it
	has created. The system or parent jail has access to the
	jail's objects, but not to its keys. When set to disable,
	the jail cannot perform any sysvmsg-related system calls.
	Ignored in FreeBSD 10.3 and earlier.

	Default: disable

	Source: jail(8)

	sysvsem=[disable \| inherit \| new]
	Allow access to SYSV IPC semaphore primitives in the same
	manner as sysvmsg. Ignored in FreeBSD 10.3 and earlier.

	Default: disable

	Source: jail(8)

	sysvshm=[disable \| inherit \| new]
	Allow access to SYSV IPC shared memory primitives in the
	same manner as sysvmsg. Ignored in FreeBSD 10.3 and
	earlier.

	Default: disable

	Source: jail(8)
	[dan@r710-01:~] $ iocage get all pkg01 \| grep sysv
	allow_sysvipc:1
	sysvmsg:new
	sysvsem:new
	sysvshm:new

	# note already set to new

	[dan@r710-01:~] $ sudo iocage set allow_sysvipc=0 pkg01
	allow_sysvipc: 1 -> 0

	[dan@r710-01:~] $ iocage get all pkg01 \| grep sysv
	allow_sysvipc:0
	sysvmsg:new
	sysvsem:new
	sysvshm:new
	[dan@r710-01:~] $
	[dan@r710-01:~] $ jls -n -j 82
	devfs_ruleset=9 nodying enforce_statfs=1 host=new ip4=inherit ip6=inherit jid=82 linux=new name=ioc-pkg01
	osreldate=1200086 osrelease=12.0-RELEASE-p10 parent=0 path=/iocage/jails/pkg01/root persist securelevel=-1
	sysvmsg=new sysvsem=new sysvshm=new vnet=new allow.chflags allow.nomlock allow.mount allow.mount.devfs
	allow.mount.nofdescfs allow.mount.linprocfs allow.mount.nullfs allow.mount.procfs allow.mount.tmpfs
	allow.mount.zfs allow.noquotas allow.raw_sockets allow.noread_msgbuf allow.reserved_ports allow.set_hostname
	allow.socket_af allow.nosysvipc children.cur=0 children.max=100 cpuset.id=4 host.domainname=none host.hostid=0
	host.hostname=pkg01.int.unixathome.org host.hostuuid=pkg01 ip4.addr= ip4.saddrsel ip6.addr= ip6.saddrsel
	linux.osname=Linux linux.osrelease=2.6.32 linux.oss_version=198144
	[dan@r710-01:~] $


	NOTE: sysvmsg=new sysvsem=new sysvshm=new on line 3 above