From owner-freebsd-arch@FreeBSD.ORG Wed Mar 2 06:41:40 2011 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 503F81065674; Wed, 2 Mar 2011 06:41:40 +0000 (UTC) (envelope-from etnapierala@googlemail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id A90378FC20; Wed, 2 Mar 2011 06:41:39 +0000 (UTC) Received: by fxm19 with SMTP id 19so6314997fxm.13 for ; Tue, 01 Mar 2011 22:41:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:sender:subject:mime-version:content-type:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to:x-mailer; bh=6Vewp2JuYTdsQXXJMzDSzStHDAAUo1zetRLnmVdUlqw=; b=siQA1vvXObb/cg03JMB2p2nAy0BnPWXVmKm86ud/IjwzTfD0Jr40yChq9KTjhl7Yu7 byPPbGupuGTjaZZyKKgXuYyaR9MG4NBX0bfbPpZESpjTV9sDyzFkRWs2a2saKwguohVE pdLLS2RZPVpQ6Y5FEBagMMLFUcF1ebt5Ih5o8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=sender:subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=AL3YpEeTf4ezDqMg/c3u1ohMYkalLFmOzsekz/j9p+wwHIxJvPfU79idWo3aDYTZ4Y BmJzneE4vgK3LqWav0O+F6KQLeXGs/+6pxOw/5IIxsleyKwC5jA6x0QsWxtG87hla/qw MKTkvcP1OVcGlqn4I9wNQPnqWDgCitY69BvzE= Received: by 10.223.1.134 with SMTP id 6mr7190524faf.70.1299048098597; Tue, 01 Mar 2011 22:41:38 -0800 (PST) Received: from [192.168.1.102] (45.81.datacomsa.pl [195.34.81.45]) by mx.google.com with ESMTPS id o17sm914333fal.25.2011.03.01.22.41.36 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 01 Mar 2011 22:41:37 -0800 (PST) Sender: =?UTF-8?Q?Edward_Tomasz_Napiera=C5=82a?= Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=iso-8859-2 From: =?iso-8859-2?Q?Edward_Tomasz_Napiera=B3a?= In-Reply-To: Date: Wed, 2 Mar 2011 07:41:35 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <1C210696-D8D8-4234-BD06-52100F60D9FB@FreeBSD.org> References: <41A35BDD-7EF0-47C5-BA3D-2E3F9C9C5540@FreeBSD.org> To: Robert Watson X-Mailer: Apple Mail (2.1082) Cc: "arch@" Subject: Re: Adding setloginclass(2) and getloginclass(2). X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2011 06:41:40 -0000 Wiadomo=B6=E6 napisana przez Robert Watson w dniu 2011-03-01, o godz. = 23:12: > On Tue, 1 Mar 2011, Edward Tomasz Napiera=B3a wrote: >> At http://people.freebsd.org/~trasz/loginclass.diff, you can find a = patch that adds login class information to the kernel. The patch does = not contain changes to autogenerated files; to test it, do "make sysent" = in sys/kern/ and sys/compat/freebsd32/. >>=20 >> The patch itself doesn't add much user-visible functionality, = although being able to do "ps aux -o class" might be useful. However, = login classes are a prerequisite for RCTL, aka Resource Containers - = system administrator can use rules such as = "loginclass:users:nproc:deny=3D100/user", to replace resource limits = usually defined in login.conf(5), or use rule such as = "loginclass:users:nproc:deny=3D100/loginclass", to limit the number of = processes for the whole login class, achieving something similar to = SunOS "projects". >>=20 >> Since this involves adding two new syscalls, I'd like to hear some = opinion about it - it's hard to change these afterwards. >=20 > Could you say a little about how you hande jails/chroots/etc? I don't; I consider them orthogonal. There is, of course, the problem of jailed root setting the same login class as the one used outside, but it's similar to the UIDs shared between jails and the outside. As for the other behaviour - login classes are very similar to uidinfo; the biggest differences are that they are not used for access control and are not supposed to be changed after logging in. I just realized I forgot to include code that allows jailed root to use setloginclass(2). I'll update the patch later today. -- If you cut off my head, what would I say? Me and my head, or me and my = body?