Date: Sun, 29 May 2005 15:02:37 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: Pawel Jakub Dawidek <pjd@FreeBSD.org> Cc: freebsd-security@FreeBSD.org, Samy Al Bahra <samy@kerneled.org> Subject: Re: Jail support for mac_portacl(4). Message-ID: <20050529145922.T52379@fledge.watson.org> In-Reply-To: <20050524011322.GI837@darkness.comp.waw.pl> References: <20050524011322.GI837@darkness.comp.waw.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 24 May 2005, Pawel Jakub Dawidek wrote: > This patch gives another option, so one don't need to use firewall for > this purpose. It adds new idtype - 'jid'. With this patch, one can > configure that jail with the given JID can use only defined ports: > > # sysctl security.mac.portacl.rules="jid:1:tcp:80" > > Patch is here: > > http://people.freebsd.org/~pjd/patches/mac_portacl.c.patch > > Any objections? This sounds fine to me, especially since it doesn't break forwards compatibility from older mac_portacl rule sets. However, I've CC'd Samy Al Bahra, who has a set of outstanding mac_portacl patches that are similar, and might have some comments on your proposed changes. My primary concern with his changes was that they changed the syntax in a way that broke backwards compatibility to older defined rules; on the other hand, his version of the changes allowed further scoping of things like "user id 80 in jail 20 can bind port 80", whereas the above supports a single layer of scoping. Robert N M Watson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050529145922.T52379>