Date: Tue, 15 Jan 2013 00:01:53 -0500 From: "Isaac (.ike) Levy" <ike@blackskyresearch.net> To: other@ahhyes.net Cc: freebsd-jail@freebsd.org Subject: Re: building with "CLANG" Message-ID: <1358226122-1532940.73545663.fr0F51rmE000344@rs149.luxsci.com> In-Reply-To: <191d7b2570889a980a349b588e6a93ed@ahhyes.net> References: <6ada79496d6ff60271992bdcc44a1882@ahhyes.net> <CAJxePNLVW%2B4mR_zCJR8ZXyAnaD%2Bj38NZKMaR9QhQMarEhYNyvQ@mail.gmail.com> <191d7b2570889a980a349b588e6a93ed@ahhyes.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Guys,
I can't bring myself to top-post on a BSD list,=20
And I'm in a particularly verbose mood as I debug an unrelated nasty =
mess,
On Jan 14, 2013, at 9:30 PM, other@ahhyes.net wrote:
>=20
>=20
> Hi Alexus,=20
>=20
> I could, but it's going to be time consuming. There is
> almost no clues (even with a google search) on what this option does. =
I
> am waiting to know if I can safely keep going the way I am and not =
have
> any serious problems. I updated the base OS ok, I just reinstalled =
world
> for one of my jails and ran mergemaster also to update it. Didn't have
> any major issues however I noticed the NO_FSCHG=3D business in the
> article.=20
>=20
> Would be nice if someone could document what the hell
> NO_FSCHG=3D does..=20
>=20
In-deed!
--
Deal is, after groking some source, I *believe* this signals clang not =
to set particular files with the immutable 'schg' flag when installing =
world to your $DESTDIR.
Please try following up with the page author.
(Perhaps jump in the Clang IRC channel listed on the page, and try to =
ask the wiki page author?)
--
If I am correct:
I've not been down the clang jails path yet, (exciting!), but I'm =
assuming this is a new convenience feature tossed in, with interesting =
ramifications=85
The old days with jail:
/rm -rf /path/to/jail/dir
- This would fail without first recursively un-setting the schg =
immutable flags on files in the filesystem.
(UNIX newbs hit list, make new friends, and learn the power of =
chflags(1))
So, NO_FSCHG is either extremely convenient, or extremely dangerous- =
depending on what kind of packets reach your jailed interface=85
Why does this matter with jail(8)?
With this convenience, much (if not all) of the functionally of the '-s' =
flag in jail(8) is lost !
-s securelevel
Set the kern.securelevel MIB entry to the specified value =
inside
the newly created jail. This is deprecated and is =
equivalent to
setting the securelevel parameter.
--
This fun, goes way back, =
http://seann.herdejurgen.com/resume/samag.com/html/v10/i05/a4.htm
Basically, one could fork bomb the machine, rendering all jailed systems =
useless- and BSD Secure Levels + login.conf in the jails were the =
ultimate fix.
Except back then, we didn't have the -s flag, (had to reboot a machine =
into a higher secure level to get this kind of protection, pretty =
inflexible, so it was rarely applied).
Rocket-
.ike
=20
<snip>
>>> I recently tried to give CLANG a go with
> rebuilding the system (9.0-RELEASE to 9.1-RELEASE). Having read:
> https://wiki.freebsd.org/BuildingFreeBSDWithClang [1] everything seems
> to be working ok.
>>>=20
>>> I noticed something in the document that got me
> concerned:
>>>=20
>>> # Don't forget this when using Jails!
>>> NO_FSCHG=3D
>>>=20
>=20
>>> There is a suggestion to add the above to src.conf -- Can someone
> please explain what this does? Having forgotten to do this, am I going
> to have any major problems?
>>>=20
>>> Alex.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1358226122-1532940.73545663.fr0F51rmE000344>