Date: Tue, 1 Dec 2009 10:22:02 -0500 From: Linda Messerschmidt <linda.messerschmidt@gmail.com> To: Ivan Voras <ivoras@freebsd.org> Cc: freebsd-hackers@freebsd.org Subject: Re: UNIX domain sockets on nullfs still broken? Message-ID: <237c27100912010722g2f6c4647ga82370284bc26e20@mail.gmail.com> In-Reply-To: <hf0ngp$cpb$1@ger.gmane.org> References: <20091130142950.GA86528@logik.internal.network> <hf0lle$5mk$1@ger.gmane.org> <20091130150127.GA82188@logik.internal.network> <hf0ngp$cpb$1@ger.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 30, 2009 at 10:14 AM, Ivan Voras <ivoras@freebsd.org> wrote: >> What's the sane solution, then, when the only method of communication >> is unix domain sockets? > > It is a security problem. I think the long-term solution would be to add a > sysctl analogous to security.jail.param.securelevel to handle this. Out of curiosity, why is allowing accessing to a Unix domain socket in a filesystem to which a jail has explicitly been allowed access more or less secure than allowing access to a file or a devfs node in a filesystem to which a jail has explicitly been allowed access?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?237c27100912010722g2f6c4647ga82370284bc26e20>