Date: Mon, 30 Nov 2009 16:14:40 +0100 From: Ivan Voras <ivoras@freebsd.org> To: freebsd-hackers@freebsd.org Subject: Re: UNIX domain sockets on nullfs still broken? Message-ID: <hf0ngp$cpb$1@ger.gmane.org> In-Reply-To: <20091130150127.GA82188@logik.internal.network> References: <20091130142950.GA86528@logik.internal.network> <hf0lle$5mk$1@ger.gmane.org> <20091130150127.GA82188@logik.internal.network>
next in thread | previous in thread | raw e-mail | index | archive | help
xorquewasp@googlemail.com wrote:
> On 2009-11-30 15:43:01, Ivan Voras wrote:
>> xorquewasp@googlemail.com wrote:
>>> 76030 initial thread STRU struct sockaddr { AF_LOCAL, /tmp/jack-11001/default/jack_0 }
>>> 76030 initial thread NAMI "/tmp/jack-11001/default/jack_0"
>>> 76030 initial thread RET connect -1 errno 61 Connection refused
>> I would expect to see this result from the jail since it's obviously a
>> Bad Idea, but does it work from the same (host) machine without the jail
>> in between (i.e. just the nullfs, no jails)?
>
> Hm, yes, you're right. It does work without a jail involved.
>
> What's the sane solution, then, when the only method of communication
> is unix domain sockets?
It is a security problem. I think the long-term solution would be to add
a sysctl analogous to security.jail.param.securelevel to handle this.
I don't think there is a workaround right now.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?hf0ngp$cpb$1>