Date: Thu, 22 Aug 2013 19:20:21 -0400 From: "Sam Fourman Jr." <sfourman@gmail.com> To: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au> Cc: FreeBSD FS <freebsd-fs@freebsd.org>, freebsd-security@freebsd.org, Xin LI <d@delphij.net> Subject: Re: Allowing tmpfs to be mounted in jail? Message-ID: <CAOFF%2BZ0MtyBe3=oYQ3hNJwKvG%2BMnAhdy5t%2Bj56FX%2Bhq_j7i1Dw@mail.gmail.com> In-Reply-To: <641D3DB0C34A482EA7F5902243F3F6D0@white> References: <52166351.4030106@delphij.net> <641D3DB0C34A482EA7F5902243F3F6D0@white>
next in thread | previous in thread | raw e-mail | index | archive | help
Xin Li, > > I can envision the use of tmpfs without providing access to mounting other > devices within a jail context. > > It would be better if this feature had its own sysctl to control the > jail's state, particularly as a DOS could "inadvertently" be > introduced, per Kib's earlier point. Other devices-types have additional > mitigation strategies, such as exclusion via dev.rules > which tmpfs doesn't have. > > Regards, Dewayne. > > Xin, This is a Great feature and it has several use cases, what about the possibility of a sysctl that adds a max amount that a jail could set a tmpfs... this would be per jail, now in theory you could over commit resources, but that would be a administrators decision, and not one jail could consume all resources. -- Sam Fourman Jr.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOFF%2BZ0MtyBe3=oYQ3hNJwKvG%2BMnAhdy5t%2Bj56FX%2Bhq_j7i1Dw>