From owner-freebsd-jail@FreeBSD.ORG Thu Sep 25 09:40:52 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6938187D; Thu, 25 Sep 2014 09:40:52 +0000 (UTC) Received: from erg.verweg.com (erg.verweg.com [IPv6:2a02:898:96::5e8e:f508]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "erg.verweg.com", Issuer "Verweg Dot Com CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id F1792F68; Thu, 25 Sep 2014 09:40:51 +0000 (UTC) Received: from [192.168.199.28] (office.proserve.nl [83.96.170.3]) (authenticated bits=0) by erg.verweg.com (8.14.9/8.14.9) with ESMTP id s8P9elHB009769 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 25 Sep 2014 09:40:48 GMT (envelope-from ruben@verweg.com) X-Authentication-Warning: erg.verweg.com: Host office.proserve.nl [83.96.170.3] claimed to be [192.168.199.28] From: Ruben van Staveren Content-Type: multipart/signed; boundary="Apple-Mail=_6E1288A7-032E-4C1B-91FC-ACB81AE43299"; protocol="application/pgp-signature"; micalg=pgp-sha1 Subject: fdescfs patch for working hierarchical jails Message-Id: <0B3648E9-21DC-4691-A6A9-26DE2C40947B@verweg.com> Date: Thu, 25 Sep 2014 11:40:43 +0200 To: freebsd-jail@freebsd.org, "freebsd-stable@FreeBSD.org Stable" Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) X-Mailer: Apple Mail (2.1878.6) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (erg.verweg.com [94.142.245.8]); Thu, 25 Sep 2014 09:40:48 +0000 (UTC) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2014 09:40:52 -0000 --Apple-Mail=_6E1288A7-032E-4C1B-91FC-ACB81AE43299 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi, Could a committer have a look at = https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D192951 ?=20 This enables fdescfs in hierarchical jails, would be nice to have this = for 10.1 Thanks! Best Regards, Ruben van Staveren --Apple-Mail=_6E1288A7-032E-4C1B-91FC-ACB81AE43299 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlQj4xsACgkQZ88+mcQxRw3kDgCfQwphlrMqxik+95Q3N1k0fYhq 0gAAn1R1us1E0J+tWbs1DZq7YUgDECJQ =21pb -----END PGP SIGNATURE----- --Apple-Mail=_6E1288A7-032E-4C1B-91FC-ACB81AE43299-- From owner-freebsd-jail@FreeBSD.ORG Fri Sep 26 19:43:55 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D5587F5D; Fri, 26 Sep 2014 19:43:55 +0000 (UTC) Received: from m2.gritton.org (gritton.org [63.246.134.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A1FC6BD8; Fri, 26 Sep 2014 19:43:55 +0000 (UTC) Received: from [192.168.0.34] (c-50-168-192-61.hsd1.ut.comcast.net [50.168.192.61]) (authenticated bits=0) by m2.gritton.org (8.14.9/8.14.9) with ESMTP id s8QJScr7095728; Fri, 26 Sep 2014 19:28:39 GMT (envelope-from jamie@gritton.org) Message-ID: <5425BE60.5020900@gritton.org> Date: Fri, 26 Sep 2014 13:28:32 -0600 From: James Gritton User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org, "freebsd-stable@FreeBSD.org Stable" Subject: Re: fdescfs patch for working hierarchical jails References: <0B3648E9-21DC-4691-A6A9-26DE2C40947B@verweg.com> In-Reply-To: <0B3648E9-21DC-4691-A6A9-26DE2C40947B@verweg.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2014 19:43:55 -0000 On 9/25/2014 3:40 AM, Ruben van Staveren wrote: > Hi, > > Could a committer have a look at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192951 ? > > This enables fdescfs in hierarchical jails, would be nice to have this for 10.1 > > Thanks! > > Best Regards, > Ruben van Staveren This would have to go into current first, and then MFC. Considering 10.1 is getting close to release, I suspect it wouldn't be allowed in. Also, I'm not sure I'd want to implement this in quite the proposed way: it might suffice (from a security viewpoint) to use the existing allow.mount.devfs for mounting fdescfs. - Jamie From owner-freebsd-jail@FreeBSD.ORG Sat Sep 27 12:07:05 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4E76F225; Sat, 27 Sep 2014 12:07:05 +0000 (UTC) Received: from erg.verweg.com (erg.verweg.com [IPv6:2a02:898:96::5e8e:f508]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "erg.verweg.com", Issuer "Verweg Dot Com CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id BD52F6AB; Sat, 27 Sep 2014 12:07:04 +0000 (UTC) Received: from neon.fritz.box (helium.xs4all.nl [83.163.52.241]) (authenticated bits=0) by erg.verweg.com (8.14.9/8.14.9) with ESMTP id s8RC6n5K035171 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Sat, 27 Sep 2014 12:06:52 GMT (envelope-from ruben@verweg.com) X-Authentication-Warning: erg.verweg.com: Host helium.xs4all.nl [83.163.52.241] claimed to be neon.fritz.box Content-Type: multipart/signed; boundary="Apple-Mail=_51722CA5-87C0-401D-87C5-C2B614B2A7A1"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: fdescfs patch for working hierarchical jails From: Ruben van Staveren In-Reply-To: <5425BE60.5020900@gritton.org> Date: Sat, 27 Sep 2014 14:06:49 +0200 Message-Id: <0CF6D1D0-0721-4395-8290-C92C91FEA45C@verweg.com> References: <0B3648E9-21DC-4691-A6A9-26DE2C40947B@verweg.com> <5425BE60.5020900@gritton.org> To: James Gritton X-Mailer: Apple Mail (2.1878.6) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (erg.verweg.com [94.142.245.8]); Sat, 27 Sep 2014 12:07:01 +0000 (UTC) Cc: freebsd-jail@freebsd.org, "freebsd-stable@FreeBSD.org Stable" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Sep 2014 12:07:05 -0000 --Apple-Mail=_51722CA5-87C0-401D-87C5-C2B614B2A7A1 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Hi James, others, On 26 Sep 2014, at 21:28, James Gritton wrote: > On 9/25/2014 3:40 AM, Ruben van Staveren wrote: >> Hi, >>=20 >> Could a committer have a look at = https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D192951 ? >>=20 >> This enables fdescfs in hierarchical jails, would be nice to have = this for 10.1 >>=20 >> Thanks! >>=20 >> Best Regards, >> Ruben van Staveren >=20 > This would have to go into current first, and then MFC. Considering > 10.1 is getting close to release, I suspect it wouldn't be allowed in. I agree, probably better to do it that way indeed. > Also, I'm not sure I'd want to implement this in quite the proposed > way: it might suffice (from a security viewpoint) to use the existing > allow.mount.devfs for mounting fdescfs. Wouldn=92t that be misleading? It would be better to mop up the various = pseudofses under the monicker allow.mount.pseudofs. >=20 > - Jamie - Ruben --Apple-Mail=_51722CA5-87C0-401D-87C5-C2B614B2A7A1 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlQmqFkACgkQZ88+mcQxRw1prgCZAa8lliQyS3sCHuTRU9W8FZqE Ui8AnjCuMGPzDcrDRf/a1NmhMlhcqxgY =J99b -----END PGP SIGNATURE----- --Apple-Mail=_51722CA5-87C0-401D-87C5-C2B614B2A7A1-- From owner-freebsd-jail@FreeBSD.ORG Sat Sep 27 16:18:41 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B5636231; Sat, 27 Sep 2014 16:18:41 +0000 (UTC) Received: from m2.gritton.org (gritton.org [63.246.134.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 80379FAC; Sat, 27 Sep 2014 16:18:41 +0000 (UTC) Received: from [192.168.0.34] (c-50-168-192-61.hsd1.ut.comcast.net [50.168.192.61]) (authenticated bits=0) by m2.gritton.org (8.14.9/8.14.9) with ESMTP id s8RGId5f005950; Sat, 27 Sep 2014 16:18:39 GMT (envelope-from jamie@gritton.org) Message-ID: <5426E358.9070005@gritton.org> Date: Sat, 27 Sep 2014 10:18:32 -0600 From: James Gritton User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org, "freebsd-stable@FreeBSD.org Stable" Subject: Re: fdescfs patch for working hierarchical jails References: <0B3648E9-21DC-4691-A6A9-26DE2C40947B@verweg.com> <5425BE60.5020900@gritton.org> <0CF6D1D0-0721-4395-8290-C92C91FEA45C@verweg.com> In-Reply-To: <0CF6D1D0-0721-4395-8290-C92C91FEA45C@verweg.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Sep 2014 16:18:41 -0000 On 9/27/2014 6:06 AM, Ruben van Staveren wrote: > Hi James, others, > > On 26 Sep 2014, at 21:28, James Gritton wrote: > >> On 9/25/2014 3:40 AM, Ruben van Staveren wrote: >>> Hi, >>> >>> Could a committer have a look at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192951 ? >>> >>> This enables fdescfs in hierarchical jails, would be nice to have this for 10.1 >>> >>> Thanks! >>> >>> Best Regards, >>> Ruben van Staveren >> This would have to go into current first, and then MFC. Considering >> 10.1 is getting close to release, I suspect it wouldn't be allowed in. > I agree, probably better to do it that way indeed. > >> Also, I'm not sure I'd want to implement this in quite the proposed >> way: it might suffice (from a security viewpoint) to use the existing >> allow.mount.devfs for mounting fdescfs. > Wouldn’t that be misleading? It would be better to mop up the various pseudofses under the monicker allow.mount.pseudofs. My thinking is that fdescfs is practically the same as what devfs already offers - just more descriptors in /dev/fd than the basic three. I can't see why allowing one wouldn't be akin to allowing the other. In fact, I fail to understand why it was made a separate filesystem in the first place. Perhaps someone on the sec team will tell me otherwise when I ask (which I ought to do before forging ahead). - Jamie