Date: Fri, 21 May 2004 12:02:17 +0300 From: Ruslan Ermilov <ru@freebsd.org> To: Gleb Smirnoff <glebius@cell.sick.ru> Cc: Pawel Jakub Dawidek <pjd@freebsd.org> Subject: Re: Call for a hacker.... security.bsd.see_other_uids in jails only Message-ID: <20040521090217.GB57989@ip.net.ua> In-Reply-To: <20040521081419.GB89262@cell.sick.ru> References: <20040520220145.GN4567@genius.tao.org.uk> <20040521080218.GY845@darkness.comp.waw.pl> <20040521081419.GB89262@cell.sick.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--neYutvxvOLaeuPCA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 21, 2004 at 12:14:19PM +0400, Gleb Smirnoff wrote: > On Fri, May 21, 2004 at 10:02:18AM +0200, Pawel Jakub Dawidek wrote: > P> Implementation wouldn't be probably too hard, but I can't agree it sho= uld > P> be committed. We need to know where jail's virtualization ends and I t= hink > P> it is too far. Of course it will be cool to have those sysctl on per-j= ail > P> basics, as well as others from security.bsd. tree > P> (like security.bsd.suser_enabled), but I'm not sure this is the right = way > P> to go. > P>=20 > P> Any other opinions? If someone convince me we should do it, I can do i= t. >=20 > A more general solution will be better, but harder to implement: make > some sysctl branches (e.g. security.bsd) local per jail, and possibility = to > change them only from host machine. >=20 I like the idea of per-jail sysctl MIB trees, e.g.: jail.<JID>.security.bsd When jail gets created, the generic sysctl code would traverse the primary sysctl tree (excluding the jail. subtree), and copy and attach those that have some jail-related flag to the jail.<JID>. branch. Inside the jail, jail.<JID>.security.bsd branch would map to just security.bsd. The generic sysctl code, when it detects it's run within a jail, will find a sysctl node "foo.bar", and if it has a jail-clone flag set, will remap a query to jail.<JID>.foo.bar. Whether it's allowed to change a particular sysctl inside a jail is another matter. Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --neYutvxvOLaeuPCA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFArcWZUkv4P6juNwoRAiVnAJ4/riJ6rCEKRADSB9ut77FinrCudwCfSCcx zYwd3kbNng1b/+cDXKF9fgU= =yPpl -----END PGP SIGNATURE----- --neYutvxvOLaeuPCA--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040521090217.GB57989>