Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 14 Nov 2002 07:14:29 +0300 (MSK)
From:      "."@babolo.ru
To:        Matthew Dillon <dillon@apollo.backplane.com>
Cc:        Poul-Henning Kamp <phk@critter.freebsd.dk>, hackers@FreeBSD.ORG
Subject:   Re: tty/pty devices not safe in jail?
Message-ID:  <200211140414.gAE4EUSH094888@aaz.links.ru>
In-Reply-To: <200211132001.gADK188f001694@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
>     Would people be interested if I added such a feature?  Limit the
>     highest allocatable pty to 90% when operating within a jail?  e.g.
>     if you have 256 ptys both jail and normal tend to allocate ptys 
>     from the bottom up, but the jail would not be allowed to allocate
>     past pty #227.  This way if a jail eats all the ptys the sysadmin
>     can still ssh in.
I think there is method to limit ptys without code change now.
Usually my jail environment has the only fs without
'nodev' mounted in jail's /dev
and this file system's directories protected by flags:
0myth/home/CVShome/ispdb-sfbsdr/ispdb(13)>l -o /jail/vhost/aaz/dev/
total 4
2 drwxr-xr-x   3 root    wheel  schg,sunlnk     1536 15 ΣΕΞ 02:57 ./
1 drwxr-xr-x  15 root    wheel  -                512 10 ΣΕΞ 20:42 ../
0 lrwx------   1 root    wheel  -                  4 15 ΣΕΞ 02:57 console@ -> null
1 dr-xr-xr-x   2 root    wheel  schg,sunlnk     1024 15 ΣΕΞ 02:57 fd/
0 lrwx------   1 root    wheel  -                  4 15 ΣΕΞ 02:57 kmem@ -> null
0 lrwx------   1 root    wheel  -                  4 15 ΣΕΞ 02:57 mem@ -> null
0 crw-rw-rw-   1 root    wheel  sunlnk        2,   2 14 ΞΟΡ 06:58 null
0 crw-rw-rw-   1 root    wheel  sunlnk        6,   0 13 ΞΟΡ 18:29 ptyp0
0 crw-rw-rw-   1 root    wheel  sunlnk        6,   1 14 ΞΟΡ 04:06 ptyp1
....
and only limited number of ptys in that /dev

I use vn with labels set for a lot of /dev
directories for jails
0myth/home/CVShome/ispdb-sfbsdr/ispdb(16)>grep vn /etc/fstab
/dev/vn7s1b             /jail/vhost/aaz/dev     ufs     rw,noauto       0 0
...

0myth/home/CVShome/ispdb-sfbsdr/ispdb(17)>cat /etc/rc.local 
/usr/bin/gunzip -c /full.gz > /full
/usr/sbin/vnconfig -cs labels /dev/vn7 /full
/sbin/mount /jail/vhost/aaz/dev
...

-- 
@BABOLO      http://links.ru/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211140414.gAE4EUSH094888>