Date: Sun, 29 May 2005 17:21:03 +0300 From: Samy Al Bahra <samy@kerneled.org> To: Robert Watson <rwatson@FreeBSD.org> Cc: freebsd-security@FreeBSD.org, Pawel Jakub Dawidek <pjd@FreeBSD.org> Subject: Re: Jail support for mac_portacl(4). Message-ID: <1117376463.2131.14.camel@jee.workstation.local> In-Reply-To: <20050529145922.T52379@fledge.watson.org> References: <20050524011322.GI837@darkness.comp.waw.pl> <20050529145922.T52379@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 2005-05-29 at 15:02 +0100, Robert Watson wrote: > On Tue, 24 May 2005, Pawel Jakub Dawidek wrote: > > > This patch gives another option, so one don't need to use firewall for > > this purpose. It adds new idtype - 'jid'. With this patch, one can > > configure that jail with the given JID can use only defined ports: > > > > # sysctl security.mac.portacl.rules="jid:1:tcp:80" > > > > Patch is here: > > > > http://people.freebsd.org/~pjd/patches/mac_portacl.c.patch > > > > Any objections? > > This sounds fine to me, especially since it doesn't break forwards > compatibility from older mac_portacl rule sets. > > However, I've CC'd Samy Al Bahra, who has a set of outstanding mac_portacl > patches that are similar, and might have some comments on your proposed > changes. My primary concern with his changes was that they changed the > syntax in a way that broke backwards compatibility to older defined rules; That was fixed. I think pjd@'s syntax changes are not that flexible (and well, as useful). Please take a look at http://samy.kerneled.org/patches/portacl.patch Support for an "add" and "none" keyword was added as well (except for the uid/gid field). This is copy I sent to Robert a couple of months ago. If pjd@ wishes, he can modify this patch to his style and apply the "all" keyword to the uid/gid identifier in order to bind all processes in a jail to a rule (if he wishes). Thanks. -- Samy Al Bahra |------- http://samy.kerneled.org |------- http://www.FreeBSD.org '------- http://www.arabeyes.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1117376463.2131.14.camel>