Date: Sun, 27 Jun 2004 14:01:20 -0700 (PDT) From: Julian Elischer <julian@elischer.org> To: Pawel Jakub Dawidek <pjd@FreeBSD.org> Cc: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net> Subject: Re: jail getfsstat patches. Message-ID: <Pine.BSF.4.21.0406271358520.19712-100000@InterJet.elischer.org> In-Reply-To: <20040627160959.GL12007@darkness.comp.waw.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 27 Jun 2004, Pawel Jakub Dawidek wrote:
> On Sun, Jun 27, 2004 at 03:53:35PM +0000, Bjoern A. Zeeb wrote:
> +> One thing that I have seen while skipping through the first time:
> +>
> +> could we avoid the function calls for non-jails or with
> +> jail_enforce_statfs=0 ? This would make the code somewhat longer
> +> as this part would be copied over multiple functions
> +>
> +> if (jailed(cred) && jail_enforce_statfs) {
> +> /* call of the two functions */
> +> }
> +>
> +> (perhaps use a macro ?) but save people outside jails, w/o jails
> +> or with jail_enforce_statfs=0 the function calls.
>
> IMHO it should stay as it is, because:
>
> - Some other prison_* functions do the same, i.e. check jailed(cred)
> by themselfs.
> - Function prison_canseemount() should be renamed some day to
> cr_canseemount(), so I don't want it to be treated as jail-specific.
> - Code is much cleaner.
> - It doesn't save as too much CPU, really, and we don't need speed here.
>
> +> To answer another question: though I maybe thought/said s.th. else in
> +> the past I would like to keep the sysctl global and not have it per
> +> jail (if we start doing per-jail things we might really consider
> +> vimages (perhaps in 6-CURRENT) but that's out of the scope of
> +> this discussion).
>
> I agree, it shouldn't be per-jail. More than that, it should be removed
> in the future to don't allow for old behaviour.
I agree that the old behaviour was a bug, and the setting of the
sysctl being able to show the old info is only so that people can
continue to run old scripts.
the several levels of security that are in one version of the script
are, I think, a little too much.. I'd just like one sysctl to enable
it, and after a while we swap the default, and then after a bit more
time we remove it...
>
> --
> Pawel Jakub Dawidek http://www.FreeBSD.org
> pjd@FreeBSD.org http://garage.freebsd.pl
> FreeBSD committer Am I Evil? Yes, I Am!
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0406271358520.19712-100000>