From owner-freebsd-stable@FreeBSD.ORG Tue Apr 4 11:00:21 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0680416A42A; Tue, 4 Apr 2006 11:00:20 +0000 (UTC) (envelope-from SRS0=K4CHTMzd=52=metro.cx=fbsd@sonologic.nl) Received: from mx1.sonologic.nl (mx1.sonologic.nl [82.94.245.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3EC0443D49; Tue, 4 Apr 2006 11:00:19 +0000 (GMT) (envelope-from SRS0=K4CHTMzd=52=metro.cx=fbsd@sonologic.nl) Received: from [10.1.5.2] (sonologic.xs4all.nl [80.127.84.188]) (authenticated bits=0) by mx1.sonologic.nl (8.13.6/8.13.6) with ESMTP id k34B0Hbk073285; Tue, 4 Apr 2006 11:00:18 GMT Message-ID: <443252A1.8000704@metro.cx> Date: Tue, 04 Apr 2006 13:04:01 +0200 From: Koen Martens Organization: Sonologic User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050317 Thunderbird/1.0.2 Mnenhy/0.7.2.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Robert Watson References: <20060403003318.K947@ganymede.hub.org> <20060403163220.F36756@fledge.watson.org> <20060404100750.GG683@turion.vk2pj.dyndns.org> <20060404112938.G76562@fledge.watson.org> In-Reply-To: <20060404112938.G76562@fledge.watson.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Helo-Milter-Authen: gmc@sonologic.nl, fbsd@metro.cx, mx1 Received-SPF: pass (mx1.sonologic.nl: 80.127.84.188 is authenticated by a trusted mechanism) Cc: Peter Jeremy , freebsd-current@freebsd.org, freebsd-stable@freebsd.org Subject: Re: new feature: private IPC for every jail X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Apr 2006 11:00:21 -0000 Robert Watson wrote: > > Hmm. This sounds like it might be workable. To make sure I understand > your proposal: > > - We add a new prison ID field to the in-kernel description of each > segment, > semaphore, message queue, etc. This is initialized to the prison ID > of the > process creating the object at the time of creation. > > - shmget(), et al, will, in addition to matching the key when searching > for an > existing object, will also attempt to match the prison ID of the > object to > the process. For the sake of completeness, we will use prison ID 0 for > unjailed processes (or something along those lines). This guarantees > that > two jails, or even the host and a jail, will never receive an ID already > allocated to another jail, and in particular, not an ID for an object > from > another jail with the same key as might be used in the current jail. > > - shmat(), et al, will perform an access control check to confirm that if a > process is jailed, its prison ID matches that of the object. > > Is it necessary, as you suggest, to change the IPC ID name space at > all? I assume applications do consistently use shmget() to look up IDs, > and that they can't/don't make assumptions about long-term persistence > of those mappings across boot (which is effectively what a jail restart > is? Is the behavior of IPXSEQ_TO_IPCID() something that has documented > or relied on properties, or are we free to perform a mapping from a name > (key) to an object (id) in any way we choose? > > I guess another change is also needed: > > - At jail termination, we GC all resources with the prison ID in question. > > This prevents a future jail from turning up with the same ID and seeing > old shared memory (etc) segments. FWIW, I already implemented this once for 5.x a while back, but abandoned the project due to lack of time back then. If no-one else is going to pick this up, i might try and dig up that code again, and port it to 6.x, since this feature is still quite high on my wish list.. Best, Koen -- K.F.J. Martens, Sonologic, http://www.sonologic.nl/ Networking, hosting, embedded systems, unix, artificial intelligence. Public PGP key: http://www.metro.cx/pubkey-gmc.asc Wondering about the funny attachment your mail program can't read? Visit http://www.openpgp.org/