Skip to content

Commit

Permalink
Give jail an isolated loopback interface with ip 127.0.0.1/8
Browse files Browse the repository at this point in the history
  • Loading branch information
@mtelvers
mtelvers committed Aug 9, 2023
1 parent 08460af commit 2d30bde
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion lib/sandbox.jail.ml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,8 @@ let jail_options config rootdir tmp_dir =
match config.network with
| [ "host" ] ->
"ip4=inherit" :: "ip6=inherit" :: "host=inherit" :: options
| _ -> options
| _ ->
"exec.start=\"/sbin/ifconfig lo0 127.0.0.1/8\"" :: "vnet" :: options

This comment has been minimized.

Sign in to view

Copy link
@dustanddreams

dustanddreams Aug 21, 2023

It might be simpler to use "ip4.addr=127.0.0.1" rather than exec ifconfig on jail startup, here.

This comment has been minimized.

Sign in to view

Copy link
@mtelvers

mtelvers Aug 21, 2023

Author Owner

No, ip4.addr=127.0.0.1 is incompatible with vnet.

$ jail -c name=foo vnet ip4.addr=127.0.0.1 command=sh
jail: vnet jails cannot have IP address restrictions

Setting ip4.addr=127.0.0.1 without vnet would share the host's loopback between jails. Therefore, two obuilder jobs could communicate by binding to 127.0.0.1 and opening a port. These two jails will talk to each other:

jail -c name=foo ip4.addr=127.0.0.1 command=nc -l 4000
jail -c name=bar ip4.addr=127.0.0.1 command=sh -c "ls | nc 127.0.0.1 4000"

This comment has been minimized.

Sign in to view

Copy link
@dustanddreams

dustanddreams Aug 21, 2023

No, ip4.addr=127.0.0.1 is incompatible with vnet.

Ah, right, I forgot about vnet. Ignore this, then.
in
List.rev_append options commandline

Expand Down

0 comments on commit 2d30bde

Please sign in to comment.