From owner-freebsd-hackers Tue Feb 25 14:47:19 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C4F137B401 for ; Tue, 25 Feb 2003 14:47:17 -0800 (PST) Received: from scaup.mail.pas.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDB6343FDF for ; Tue, 25 Feb 2003 14:47:16 -0800 (PST) (envelope-from mooneer@translator.cx) Received: from pool0150.cvx31-bradley.dialup.earthlink.net ([209.179.146.150] helo=morpheus) by scaup.mail.pas.earthlink.net with smtp (Exim 3.33 #1) id 18nnqz-0003mt-00 for freebsd-hackers@freebsd.org; Tue, 25 Feb 2003 14:47:13 -0800 From: "Mooneer Salem" To: "FreeBSD Hackers" Subject: Jail seperation patch Date: Tue, 25 Feb 2003 14:47:11 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, I've been working on extending the jail feature of FreeBSD to make it more friendly to VPS providers. I added the following features: * Rudimentary CPU/RAM/number of processes per-jail limits * Multiple IP support (from Pawel Jakub Dawidek's mijail patch for 4.7) * Proper INADDR_ANY support added (so INADDR_ANY will bind to all IP addresses within a jail) * struct prison added to SysV IPC code (to allow for secure use) * Disk mount hiding * Hot add/remove IP addresses from jail using sysctl * Process hiding (non-root users outside jails cannot see jailed processes) The patch is for 5.0-CURRENT/5.0-RELEASE. I would be interested in any comments or suggestions. If anyone's interested, it can be retrieved at http://msalem.translator.cx/dist/jail_seperation.v5.patch. Example of new sysctl entries: %sysctl -a | grep jail jail.jails.test_lifeafterking_org.max_ram: 0 jail.jails.test_lifeafterking_org.max_cpu: 0 jail.jails.test_lifeafterking_org.max_procs: 0 jail.jails.test_lifeafterking_org.procs_used: 10 jail.jails.test_lifeafterking_org.ram_used: 5971968 jail.jails.test_lifeafterking_org.cpu_used: 0 jail.jails.test_lifeafterking_org.ipv4addr: 10.0.0.3,10.0.0.4 security.jail.set_hostname_allowed: 1 security.jail.socket_unixiproute_only: 1 security.jail.sysvipc_allowed: 0 security.jail.quotas_allowed: 0 security.jail.hide_processes: 0 % Thanks, -- Mooneer Salem GPLTrans: http://www.translator.cx/ lifeafterking.org: http://www.lifeafterking.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message