From owner-freebsd-security  Sat Sep 18 11:58:22 1999
Delivered-To: freebsd-security@freebsd.org
Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131])
	by hub.freebsd.org (Postfix) with ESMTP id 480CA14CFE
	for <security@FreeBSD.ORG>; Sat, 18 Sep 1999 11:58:14 -0700 (PDT)
	(envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
	by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id UAA12518;
	Sat, 18 Sep 1999 20:55:52 +0200 (CEST)
	(envelope-from phk@critter.freebsd.dk)
To: Matthew Dillon <dillon@apollo.backplane.com>
Cc: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>,
	imp@village.org (Warner Losh), liam@tiora.net (Liam Slusser),
	kdrobnac@mission.mvnc.edu (Kenny Drobnack),
	Harry_M_Leitzell@cmu.edu (Harry M. Leitzell), security@FreeBSD.ORG
Subject: Re: BPF on in 3.3-RC GENERIC kernel 
In-reply-to: Your message of "Sat, 18 Sep 1999 11:39:13 PDT."
             <199909181839.LAA66478@apollo.backplane.com> 
Date: Sat, 18 Sep 1999 20:55:52 +0200
Message-ID: <12516.937680952@critter.freebsd.dk>
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <199909181839.LAA66478@apollo.backplane.com>, Matthew Dillon writes:

>    Let me put it this way:  Passing an unsigned 32 bit integer is obviously
>    the *WRONG* type of argument to pass for an IP address considering that
>    just about every single other system call takes a sockaddr of one sort 
>    or another.

Jail(2) as it stands today is an IPv4 facility, and only that.

The interface is specified to make sure people don't miss this
important fact.

I have not yet been able to find sufficient information on how
multihoming and resource location will work in IPv6 to determine
if jail(2) will even be possible for IPv6.

If you are able to design a protocol independent jail(2) facility
I really think you should do so.  For starters you can make it
work for the appletalk and ipx stacks we have in the kernel.

Remember: jail(2) is a security function, not a networking function.

--
Poul-Henning Kamp             FreeBSD coreteam member
phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
FreeBSD -- It will take a long time before progress goes too far!


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message