Solved cannot get used/quota for pool/dataset: permission denied in jail

icecoke · Jul 17, 2024

Hey,

after upgrading from FreeBSD12.0 to 14.1 jails are unable to get and set quotas. Worked with FreeBSD zfs nice with same jail settings, now with openzfs not:

Code:

# zfs allow vsd
---- Permissions on vsd ----------------------------------------------
Local+Descendent permissions:
        everyone userprop,userquota,userused

active jail params:

Code:

devfs_ruleset=0 enforce_statfs=2 host=new ip4=disable ip6=disable jid=3 name=test osreldate=1401000 osrelease=14.1-RELEASE-p1 path=/vsd nopersist securelevel=-1 sysvmsg=disable sysvsem=disable sysvshm=disable vnet=inherit zfs=new allow.nochflags allow.nomlock allow.mount allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nonullfs allow.mount.noprocfs allow.mount.notmpfs allow.mount.nozfs allow.nonfsd allow.quotas allow.noraw_sockets allow.noread_msgbuf allow.reserved_ports allow.noset_hostname allow.nosocket_af allow.suser allow.nosysvipc allow.unprivileged_proc_debug children.max=0 host.domainname="" host.hostid=0 host.hostname=test host.hostuuid=00000000-0000-0000-0000-000000000000 zfs.mount_snapshot=0

Any help would be quite helpful!

icecoke · Jul 17, 2024

btw. same problem on

Code:

securelevel=3

icecoke · Jul 17, 2024

ok, it looks like

Code:

enforce_statfs < 2

is needed to have this working in at least 14.1

icecoke · Jul 17, 2024

Ok, I have to reopen it.

enforce_statfs=1 or even =0 helps only when the zfs call is done as jailed root user.

But zfs allow is done with:

Code:

everyone userprop,userquota,userused

Why is that not respected? When I call

Code:

/sbin/zfs userspace -nHp POOL/DATASET

as non root user in the jail, it fails with permission denied

icecoke · Aug 6, 2024

Hi,
anyone? I found no solution or developer/release notes by now and it's a remarkable difference to the older zfs versions in my view.

It's a problem if jails are not able to use zfs quota/properties, even if it is set so.

Andriy · Aug 11, 2024

Is the dataset jailed (using zfs-jail(8)) ?

icecoke · Aug 12, 2024

Hey,

yes, and when I set enforce_statfs=1 allow.mount=1 allow.mount.zfs=1, I achieve what I want (just ro reading of quota - no manipulation).

That is in my view - and compared to previous versions of FBSD and zfs - much to much other rights opend to the jail, just because for reading some quota information.
Especially because we have "zfs allow everyone userprop,userquota,userused" to allow/disallow just that. And with the addition, that reading quota usage as root is possible, even if none of the jail parameters is set.

Do you have any idea to read the zfs qouta from within the jail, without beeing root and without all other rights allowed?

icecoke · Aug 18, 2024

Ok, I found it...

The pre-openZFS kernel zfs_ioctl.c did not asked for the "userobjquota" + "userobjused" perms on a simple
/sbin/zfs userspace -nHp POOL/DATASET but since openZFS this is needed:

zfs allow -e userprop,userquota,userused,userobjused,userobjquota POOL/DATASET

So, a enforce_statfs=2 is still sufficient, if the allow is extended.