Date: Sun, 25 Nov 2007 08:21:43 +1100 From: Peter Jeremy <peterjeremy@optushome.com.au> To: Gabor Tjong A Hung <g.v.tjongahung@gmail.com> Cc: freebsd-hackers@freebsd.org Subject: Re: Need for SysV IPC to be confined to jail instances Message-ID: <20071124212143.GC50167@server.vk2pj.dyndns.org> In-Reply-To: <8AAADCFE-9D0D-4801-8684-5BD6A3070C2C@GMail.com> References: <8AAADCFE-9D0D-4801-8684-5BD6A3070C2C@GMail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--+KJYzRxRHjYqLGl5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Nov 24, 2007 at 12:11:18PM +0100, Gabor Tjong A Hung wrote: >As I came to understand, if you enable jail_sysvipc_allow in rc.conf I am= =20 >defeating the purpose of a jail. Not totally defeating the purpose but SysV IPC is not jail-aware so any jailed process can see and affect the global SysV IPC state. >I got a suggestion that it might be possible to have sys v ipc confined to= =20 >a jail instance and perhaps let it work like a telephone number. This has come up before. See (eg): http://www.freebsd.org/cgi/query-pr.cgi?pr=3D48471 and the thread beginning http://lists.freebsd.org/pipermail/freebsd-current/2006-April/062261.html --=20 Peter Jeremy Please excuse any delays as the result of my ISP's inability to implement an MTA that is either RFC2821-compliant or matches their claimed behaviour. --+KJYzRxRHjYqLGl5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHSJXn/opHv/APuIcRAsQIAJ9PnTA2/t1/07EXCpuhtya+n/hcDwCgjVER +sjvAGCaZZEKkpYpYQ+GJbk= =fZoe -----END PGP SIGNATURE----- --+KJYzRxRHjYqLGl5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071124212143.GC50167>