From owner-freebsd-rc@freebsd.org Sun Feb 24 10:00:32 2019 Return-Path: Delivered-To: freebsd-rc@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 122EB15195C0; Sun, 24 Feb 2019 10:00:32 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C0C778DE70; Sun, 24 Feb 2019 10:00:28 +0000 (UTC) (envelope-from Alexander@leidinger.net) Date: Sun, 24 Feb 2019 11:00:15 +0100 Message-ID: <20190224110015.Horde.A9mrXMmDLkoyCbU47t5UxjM@webmail.leidinger.net> From: Alexander Leidinger To: freebsd-rc@freebsd.org, jail@freebsd.org Subject: Proposal: automatic jailing of services (rc.d/*) [patch] User-Agent: Horde Application Framework 5 Accept-Language: de,en Content-Type: multipart/signed; boundary="=_fy4n2tsDPmdHd3oieZ_dzqP"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 X-Rspamd-Queue-Id: C0C778DE70 X-Spamd-Bar: --------- X-Spamd-Result: default: False [-9.69 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[leidinger.net:s=outgoing-alex]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; HAS_ATTACHMENT(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; DKIM_TRACE(0.00)[leidinger.net:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[leidinger.net,quarantine]; MX_GOOD(-0.01)[mailgate.leidinger.net]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_SHORT(-0.98)[-0.980,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; IP_SCORE(-3.70)[ip: (-9.79), ipnet: 2a00:1828::/32(-4.86), asn: 34240(-3.83), country: DE(-0.01)]; ASN(0.00)[asn:34240, ipnet:2a00:1828::/32, country:DE]; RCVD_TLS_ALL(0.00)[]; MIME_UNKNOWN(0.10)[text/diff] X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Feb 2019 10:00:32 -0000 This message is in MIME format and has been PGP signed. --=_fy4n2tsDPmdHd3oieZ_dzqP Content-Type: multipart/mixed; boundary="=_DFoVyw8E2SrFbHVI-kNCyDP" This message is in MIME format. --=_DFoVyw8E2SrFbHVI-kNCyDP Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, Thanks to MWL for his upcoming jail book, it inspired me to come up with th= is. Note, I'm not subscribed to freebsd-rc, please keep at least jail@ in=20=20 copy=20(I'm subscribed there). I propose to extend the rc system to automatically jail services in a=20=20 light=20sense (off by default, can be enabled on individual service=20=20 level).=20The "light sense" means to inherit the entire host (subject to=20= =20 options).=20All programs have still access to the entire filesystem=20=20 (subject=20to user access permissions). By default no network access.=20=20 Optional=20access to the hosts IPv4, IPv6, raw sockets or full access to=20= =20 all=20network related parts (see below for "service jail options").=20=20 Similar=20optional access for sysvipc, mlock and vmm. The benefit of this approach (aside of being able to prevent network=20=20 and=20other access if needed (without removing the network at all) when=20= =20 it=20is not enabled) is to put a service and all its children into a=20=20 limited=20process namespace. A service and its children only see=20=20 themselves=20but no other processes (a rc script which uses some checks=20= =20 in=20start_cmd to see if some other services/processes are started needs=20= =20 to=20be modified to do the checks in start_precmd, only start_cmd (and=20= =20 stop_cmd)=20is jailed in this design (so far), so that a service can=20=20 check=20a lot more than what is possible in a jail), and you can kill=20=20 all=20of those in one go (jail -r svcj-). Note: this can not be used for services which require access to=20=20 /dev/(k)mem,=20as this is prohibited in a jail even if the dev-entry is=20= =20 there=20(this means you can not enable this feature for services which=20= =20 start=20X.org to access a graphic card without my patches for X.org in a=20= =20 jail).=20Other hard-coded jail restrictions apply too off course. As an example for a service which needs network access, it would have=20=20 to=20have in the rc script : ${svcname_svcj_options:=3D"net_basic") to specify that it needs access to IPv4, IPv6 and access to reserved=20=20 ports=20(see below for more details). This way the service comes with a default setting and an admin can=20=20 override=20what the service is allowed to do on his discretion in rc.conf. There are off course drawbacks, depending on your point of view. If=20=20 you=20jail sshd, you can only see processes inside the sshd service jail=20= =20 via=20ps/top/..., you can not use commands which require access to=20=20 /dev/(k)mem,=20you can not start ntpd from such a ssh session, and you=20= =20 can=20not manage (stop/start via rc-means or kill) stuff which is=20=20 running=20in other service jails, or in short: all hard-coded jail=20=20 restrictions=20apply. If you stop such a service jail, the current=20=20 implementation=20removes the entire service jail (after running "service=20= =20 stop"=20inside), so for sshd this would mean that any ssh connection to=20= =20 the=20jailed sshd is killed instead of continuing like in the non=20=20 service=20jail case. So this is not something which can by enabled by=20=20 default=20and a careful review of what shall be handled in this way=20=20 needs=20to be done instead of enabling it blindly. To enable jailing of a service, an admin has to specify=20=20 svcname_svcj=3D"YES" in rc.conf and optionally options via=20=20 svcname_svcj_options=3D"xxx" if it wants to override the settings/access=20= =20 specified=20in the rc script (or set it if the rc script is not yet=20=20 modified=20to support service jails). A rc script shall not enable a service jail by default, it's up to the=20= =20 admin=20to enable that. This also works in jails, but requires to set children.max to an=20=20 appropriate=20value for those jails (see jail(8) or MWLs upcoming book=20= =20 for=20more info about hierarchical jails). As we expose=20=20 security.jail.param.children.*=20in jails, we could add a safetynet=20=20 inside=20the implementation to not use service jails even if configured,=20= =20 when=20"jailed and cur =3D max". RC settings: _svcj=3D"YES/NO" _svcj_options=3D"see_below" service jails options translations: netv4 -> ipv4=3Dinherit allow.reserved_ports netv6 -> ipv6=3Dinherit allow.reserved_ports net_basic -> ipv4=3Dinherit ipv6=3Dinherit allow.reserved_ports net_raw -> allow.raw_sockets net_all -> allow.socket_af allow.raw_sockets allow.reserved_ports=20=20 ipv4=3Dinherit ipv6=3Dinherit sysvipc -> sysvmsg=3Dinherit sysvsem=3Dinherit sysvshm=3Dinherit mlock -> allow.mlock vmm -> allow.vmm Attached is a proof of concept (only lightly tested with=20=20 start/stop/status/restart)=20so that you can play around with it a=20=20 little=20bit. Please don't focus on the patch. This mail is to seek=20=20 feedback=20about the feature and the quick design so far. To make it=20=20 explicit,=20I do not ask (yet) if and which service to handle like this=20= =20 by=20default. This is just the possibility to do something like this. Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_DFoVyw8E2SrFbHVI-kNCyDP-- --=_fy4n2tsDPmdHd3oieZ_dzqP Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJccmsvAAoJEBINsJsD+NiGXxQP/AkzLOI+MkW0EoQ/R+y9W/4U CCBvuFntPLYfN3agONbLwwu/DEt8xqPRCA1UDBK2pe9UQQQj9WcXbVvb8bsr64fM ZH+P0Wev/nkhRk0NyqQLvO0j2VRQnve9bnI8v1kdi5hjH9m796Ig81lHRBViCYTL qyE1qz+rO5ocY8yWi98vOZy6HD32eehcl1g8KlnfD+SQ7R9uQ5lQHA1fLiFrs17L HjVadlFX3QX6xsWKjrrQ53GTw7n+3mmtDYc+Jac+YEz5OT7TyK6tzobw6MkzNPnM juEL4gznT17E5e1gtWIuqq+ZWGdOqNWpuTTyc6X9IO2H58kMpjWp6USk3mqjNR0x bhaLadpsCh3yDo5c806JQ7mSYz5ryPPH7f/fYwcB99MIGcY3d+8KTgct65+pXyO8 2OxrDS3x9A+0BChFjdmNpLqoIiGBmj/3d1KaJJLbhKd0i/G+WpNdGuRiQk2N/7UD eXpylUa8Yb+vTNvsRn3Qt6tWGctcBxidFtzSGAWycSNieWGcmwK+zH/PhiFHKSK5 O3TOBMDbsdhGjG6Re4CxI0aTHlO1Jyu9Q87eW2DUMnPS1f6dlzwS/mHv3SWGrPWm jDwIgMBhlTFtMjowAkRmJcxn2HuvdsLz0jU4jqqcidTeCHvz9YoDiJb3rkoSxHiW xgXoToaNcFdeU1tUXY9P =Rx7/ -----END PGP SIGNATURE----- --=_fy4n2tsDPmdHd3oieZ_dzqP-- From owner-freebsd-rc@freebsd.org Sun Feb 24 20:37:42 2019 Return-Path: Delivered-To: freebsd-rc@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DD830150AA2D; Sun, 24 Feb 2019 20:37:42 +0000 (UTC) (envelope-from SRS0=h8Xr=Q7=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 764C1861EF; Sun, 24 Feb 2019 20:37:42 +0000 (UTC) (envelope-from SRS0=h8Xr=Q7=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 18B382842B; Sun, 24 Feb 2019 21:37:34 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 74B2928429; Sun, 24 Feb 2019 21:37:28 +0100 (CET) Subject: Re: Proposal: automatic jailing of services (rc.d/*) [patch] To: Alexander Leidinger , freebsd-rc@freebsd.org, jail@freebsd.org References: <20190224110015.Horde.A9mrXMmDLkoyCbU47t5UxjM@webmail.leidinger.net> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: Date: Sun, 24 Feb 2019 21:37:19 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: <20190224110015.Horde.A9mrXMmDLkoyCbU47t5UxjM@webmail.leidinger.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 764C1861EF X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.96 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.996,0]; NEURAL_HAM_SHORT(-0.96)[-0.963,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Feb 2019 20:37:43 -0000 Alexander Leidinger via freebsd-jail wrote on 2019/02/24 11:00: [...] > Attached is a proof of concept (only lightly tested with > start/stop/status/restart) so that you can play around with it a little > bit. Please don't focus on the patch. This mail is to seek feedback > about the feature and the quick design so far. To make it explicit, I do > not ask (yet) if and which service to handle like this by default. This > is just the possibility to do something like this. Interesting idea but patch was stripped by mailing list. Can you put it online and post the link to it? Kind regards Miroslav Lachman From owner-freebsd-rc@freebsd.org Sun Feb 24 21:01:06 2019 Return-Path: Delivered-To: freebsd-rc@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 69D99150C155 for ; Sun, 24 Feb 2019 21:01:06 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 01C1387F82 for ; Sun, 24 Feb 2019 21:01:06 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: by mailman.ysv.freebsd.org (Postfix) id B6DF6150C151; Sun, 24 Feb 2019 21:01:05 +0000 (UTC) Delivered-To: rc@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A2EBE150C14F for ; Sun, 24 Feb 2019 21:01:05 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0336687F76 for ; Sun, 24 Feb 2019 21:01:05 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 1984B7323 for ; Sun, 24 Feb 2019 21:01:04 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x1OL13Nv086245 for ; Sun, 24 Feb 2019 21:01:03 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x1OL13ob086239 for rc@FreeBSD.org; Sun, 24 Feb 2019 21:01:03 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201902242101.x1OL13ob086239@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: rc@FreeBSD.org Subject: Problem reports for rc@FreeBSD.org that need special attention Date: Sun, 24 Feb 2019 21:01:03 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Feb 2019 21:01:06 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 235122 | rc.subr limits call breaks non-root usage 1 problems total for which you should take action. From owner-freebsd-rc@freebsd.org Mon Feb 25 08:53:49 2019 Return-Path: Delivered-To: freebsd-rc@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3518C1502645; Mon, 25 Feb 2019 08:53:49 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: from mail-ua1-x92b.google.com (mail-ua1-x92b.google.com [IPv6:2607:f8b0:4864:20::92b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A548982FE4; Mon, 25 Feb 2019 08:53:48 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: by mail-ua1-x92b.google.com with SMTP id c5so7620370uaq.7; Mon, 25 Feb 2019 00:53:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=42778bM5EES4q79xF52Ny4x6dmdZ9w/BHVWijYvFBCM=; b=NvFafiw1ixYWaRuZtxtK/s+HAPuY5+95GXfcq9vsML4+vWSJxglX0HH/dLfLe3AS61 ZabAMYwFuNJzuySUeX811XzmGbSLlLO56hOPzmroOULiQJ9Wnp7revLUHzgz/IV3sSNO TqKh2nbRlpIkoVvmY8FgTJFuYc9nSUjKNHKyuW0Z+gh1BGfL2cMyX8o8xxxSzmLnlAd7 7yy5OZu3z159NlH7GjwReRdJ3lu3eWdX8mdf1Oa/YjfN5/GWRQhnoagwZYCZgalhnDvX WOhdsamV16Rp7UKcXEjI9YuQHShJrMsx0w6BX4g1jSJrB7c+7iguIWmehN1fBawN4bHt xblA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=42778bM5EES4q79xF52Ny4x6dmdZ9w/BHVWijYvFBCM=; b=r29yXtCbb4DWrtBk50loRQK4hOF9MlwOWSLPGQKL/QIZr0rFHmP6nqu2Chval/KE/1 qYtrDikqC2SZLkP0EJv0Vv2mH3pxhyaX7MgyL6vgxGHmO5KVEMXa7vBh8k/oWgvL3Vf4 HcbRblyIo4NYFOcJgSLCjbsP6cq5rEpa2E/+UbnP6UDXVPvK4lEuqCOgaYq3ARlmglVP qXFZbfHpeCyPcgphs0kYZfX/ioqQM+g0BKjTvrEZuD0Bfp058D249OMx7ouPt2m+fJw1 r8nTcdBZ0acZ04cwQaG1As+AXjFfEKmBRepN7tKZsZLHyg5oxtnAD7dxn80BOAIjBeoh L58w== X-Gm-Message-State: AHQUAuYlRP+Ga9QqgNwURNfRwK/ZC4BVAlp0OT9VUeIeQbOdvs/mLm7H CmqrQxOqo6Bg+Z389saXgD9b2Qx09oiveUFi6R8hjYWo X-Google-Smtp-Source: AHgI3IbbDaZ/DZMgOf0K8CNWSihPrhhuDuPbivPe5KtCkrNOP+G1RBr3Cntz32LMPEwyYO2GRlhaxEmXhLv5MMRRucw= X-Received: by 2002:a67:ed04:: with SMTP id l4mr8334214vsp.20.1551084827971; Mon, 25 Feb 2019 00:53:47 -0800 (PST) MIME-Version: 1.0 References: <20190224110015.Horde.A9mrXMmDLkoyCbU47t5UxjM@webmail.leidinger.net> In-Reply-To: From: Ben Woods Date: Mon, 25 Feb 2019 16:53:40 +0800 Message-ID: Subject: Re: Proposal: automatic jailing of services (rc.d/*) [patch] To: Miroslav Lachman <000.fbsd@quip.cz> Cc: Alexander Leidinger , freebsd-rc@freebsd.org, jail@freebsd.org X-Rspamd-Queue-Id: A548982FE4 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.94 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.94)[-0.939,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2019 08:53:49 -0000 On Mon, 25 Feb 2019 at 10:24, Miroslav Lachman <000.fbsd@quip.cz> wrote: > Interesting idea but patch was stripped by mailing list. Can you put it > online and post the link to it? > Indeed, interesting idea! The best options would be to attach the patch either to a bugzilla report ( https://bugs.freebsd.org) or a phabricator review ( https://reviews.freebsd.org). Regards, Ben -- From: Benjamin Woods woodsb02@gmail.com From owner-freebsd-rc@freebsd.org Mon Feb 25 09:12:00 2019 Return-Path: Delivered-To: freebsd-rc@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2AF7C1502F2A; Mon, 25 Feb 2019 09:12:00 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8C8E783744; Mon, 25 Feb 2019 09:11:59 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from [192.168.1.32] (unknown [192.168.1.32]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: Alexander@Leidinger.net) by outgoing.leidinger.net (Postfix) with ESMTPSA id 0E0D2307D; Mon, 25 Feb 2019 10:11:26 +0100 (CET) From: Alexander Leidinger To: Miroslav Lachman <000.fbsd@quip.cz>, , Date: Mon, 25 Feb 2019 10:11:24 +0100 Message-ID: <16923ec5260.27fa.fa4b1493b064008fe79f0f905b8e5741@Leidinger.net> In-Reply-To: References: <20190224110015.Horde.A9mrXMmDLkoyCbU47t5UxjM@webmail.leidinger.net> Subject: Re: Proposal: automatic jailing of services (rc.d/*) [patch] MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="us-ascii" Content-Transfer-Encoding: 8bit X-Leidinger-net-MailScanner-Information: Please contact the ISP for more information X-Leidinger-net-MailScanner-ID: 4D4E823BD7.A7EA6 X-Leidinger-net-MailScanner: Found to be clean X-Leidinger-net-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-3, required 6, autolearn=not spam, ALL_TRUSTED -1.00, BAYES_00 -1.90, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10) X-Leidinger-net-MailScanner-From: alexander@leidinger.net X-Leidinger-net-MailScanner-Watermark: 1551690704.38929@+LRNgKpOJijOkL8vTZPixw X-Leidinger-net-Spam-Status: No X-Rspamd-Queue-Id: 8C8E783744 X-Spamd-Bar: ------ X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.99)[-0.988,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2019 09:12:00 -0000 http://www.leidinger.net/FreeBSD/current-patches/rc_svc_jails.diff -- Send from a mobile device, please forgive brevity and misspellings. Am 24. Februar 2019 9:48:19 nachm. schrieb Miroslav Lachman <000.fbsd@quip.cz>: > Alexander Leidinger via freebsd-jail wrote on 2019/02/24 11:00: > > [...] > >> Attached is a proof of concept (only lightly tested with >> start/stop/status/restart) so that you can play around with it a little >> bit. Please don't focus on the patch. This mail is to seek feedback >> about the feature and the quick design so far. To make it explicit, I do >> not ask (yet) if and which service to handle like this by default. This >> is just the possibility to do something like this. > > Interesting idea but patch was stripped by mailing list. Can you put it > online and post the link to it? > > Kind regards > Miroslav Lachman