From owner-freebsd-jail@FreeBSD.ORG Wed Jul 7 22:14:18 2010 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8BC5A1065674 for ; Wed, 7 Jul 2010 22:14:18 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [208.92.232.93]) by mx1.freebsd.org (Postfix) with ESMTP id 530B98FC1C for ; Wed, 7 Jul 2010 22:14:18 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by gritton.org (8.14.3/8.14.3) with ESMTP id o67MEGLv029604; Wed, 7 Jul 2010 16:14:17 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <4C34FB9C.8020404@FreeBSD.org> Date: Wed, 07 Jul 2010 16:11:40 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.5) Gecko/20100103 Thunderbird/3.0 MIME-Version: 1.0 To: Harald Schmalzbauer , freebsd-jail@FreeBSD.org References: <4C2EEF3E.2010008@omnilan.de> <4C2EF065.2020208@omnilan.de> <20100703145827.E14969@maildrop.int.zabbadoz.net> <4C30B26D.2010202@omnilan.de> In-Reply-To: <4C30B26D.2010202@omnilan.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: selective jail restriction controlling in rc.conf X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jul 2010 22:14:18 -0000 On 07/04/10 10:10, Harald Schmalzbauer wrote: > Dear freebsd-jail fellows, > > I haven't know of that list yet, nor am I subscribesd, but I did some > work for me to extend rc.d/jail to acclompish with some of my needs and > I'd like to share it. > I don't have much knowledge to join seriouse developement, I'm just > "playing". But I'm sure you can understand my intention of the patch and > maybe take some idea. > > Here's my original post to freebsd-stable@: > > I very much liked the possibillity to easily manage jails via rc.conf. > Unfortunately I was missing some features. > First, there are many security.jail.allow_* sysctl which didn't get > attention. > Second; I needed to allow different things on different jails. For > example only one distinct jail should habe sysvIPC. > > Please find attached a patch wich extends rc.d to my needs. > Some jail_start() modifications were neccessary and some cleanups could > be done in the "Configuring jails:" section (not needed any more) amd in > the _ip_multi processing, since that's not needed any more. > One have to seperatly define ip4 and ip6 addresses. The can be with or > without mask, single oder comma seperated list, doesn't matter, thanks > to the jail_handle_ips_option() coder, it just works :) The new jail(8) syntax is able handle your second concern, allowing features on only some jails. I'm currently working on an update that will use a jail.conf file instead of the rc-based shell variables currently in use; because of that, there are no plans to keep hacking on the rc variables. As for the first concern, the sysctl.jail.allow_* sysctls, those are obsoleted by the new jail system as well. While they will continue to exist in the (at least near) future, they're being deprecated for just the reason you mention, that they don't allow per-jail control. - Jamie