Date: Sat, 25 Sep 1999 15:34:31 +0200 From: Poul-Henning Kamp <phk@critter.freebsd.dk> To: Alexander Bezroutchko <abb@zenon.net> Cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: about jail Message-ID: <11744.938266471@critter.freebsd.dk> In-Reply-To: Your message of "Sat, 25 Sep 1999 17:17:12 %2B0400." <19990925171712.A80535@zenon.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <19990925171712.A80535@zenon.net>, Alexander Bezroutchko writes: >* ping, traceroute doesn't work due to lack of permissionis to create icmp socket. > I think it is simple to make workaround for such problems: > create a daemon listening on a unix domain socket for request from a jail. > Daemon will take request and the pid of requesting process, validate it, > process and return answer to client. That would work. >* only one IP address is available in jail > It is acceptable limitation, but some daemons would like to use localhost > address (127.0.0.1). 127.0.0.1 is mapped to the jail address. telnet localhost does what you'd expect it to. >* whole kernel MIB is readable, and kern.hostname is writable from jail > I think we should restrict information about system available from jail -- > leave readable only data required for proper work of libc > functions like gethostname,getpagesize,sysconf, etc. kern.hostname only writes the name for that jail. > If we leave kern.hostname writable from jail, we should > add new field to `struct jail', say `jailname'. It's called "p_prison->pr_host" and it was there from day #1. > And > /proc/<PID>/status must show this value. It already does. >* scheduling > Scheduler must provide equal time quantum to each jail. I think > something like "fair share scheduler" required. Is there any plans > to implement such scheme in FreeBSD ? Not from me. >* resource limits > Current resource limit scheme does not provide enough isolation of jails. no plans. >* it is possible to escape from jail > Following program escapes from jail (tested under 4.0-19990918-CURRENT): You're right, I've overlooked that one. Will fix. >Does anybody already encountered and solved problems described above >or have an ideas ? No, this is the first one I've heard about. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?11744.938266471>