From owner-freebsd-security@FreeBSD.ORG Sun May 29 14:02:20 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 272AA16A41C; Sun, 29 May 2005 14:02:20 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [204.156.12.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id C220843D53; Sun, 29 May 2005 14:02:19 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by cyrus.watson.org (Postfix) with ESMTP id C3D1646B4B; Sun, 29 May 2005 10:02:18 -0400 (EDT) Date: Sun, 29 May 2005 15:02:37 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Pawel Jakub Dawidek In-Reply-To: <20050524011322.GI837@darkness.comp.waw.pl> Message-ID: <20050529145922.T52379@fledge.watson.org> References: <20050524011322.GI837@darkness.comp.waw.pl> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@FreeBSD.org, Samy Al Bahra Subject: Re: Jail support for mac_portacl(4). X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 May 2005 14:02:20 -0000 On Tue, 24 May 2005, Pawel Jakub Dawidek wrote: > This patch gives another option, so one don't need to use firewall for > this purpose. It adds new idtype - 'jid'. With this patch, one can > configure that jail with the given JID can use only defined ports: > > # sysctl security.mac.portacl.rules="jid:1:tcp:80" > > Patch is here: > > http://people.freebsd.org/~pjd/patches/mac_portacl.c.patch > > Any objections? This sounds fine to me, especially since it doesn't break forwards compatibility from older mac_portacl rule sets. However, I've CC'd Samy Al Bahra, who has a set of outstanding mac_portacl patches that are similar, and might have some comments on your proposed changes. My primary concern with his changes was that they changed the syntax in a way that broke backwards compatibility to older defined rules; on the other hand, his version of the changes allowed further scoping of things like "user id 80 in jail 20 can bind port 80", whereas the above supports a single layer of scoping. Robert N M Watson