From owner-freebsd-arch@FreeBSD.ORG Wed Jun 25 16:26:00 2003 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E9DE37B404; Wed, 25 Jun 2003 16:26:00 -0700 (PDT) Received: from mx.nsu.ru (mx.nsu.ru [212.192.164.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC09743F75; Wed, 25 Jun 2003 16:25:58 -0700 (PDT) (envelope-from fjoe@iclub.nsu.ru) Received: from mail by mx.nsu.ru with drweb-scanned (Exim 3.36 #1 (Debian)) id 19VJlk-0008K1-00; Thu, 26 Jun 2003 06:33:40 +0700 Received: from iclub.nsu.ru ([193.124.215.97] ident=root) by mx.nsu.ru with esmtp (Exim 3.36 #1 (Debian)) id 19VJku-0008C2-00; Thu, 26 Jun 2003 06:32:48 +0700 Received: from iclub.nsu.ru (fjoe@localhost [127.0.0.1]) by iclub.nsu.ru (8.12.9/8.12.9) with ESMTP id h5PNOgMk093691; Thu, 26 Jun 2003 06:24:42 +0700 (NSS) (envelope-from fjoe@iclub.nsu.ru) Received: (from fjoe@localhost) by iclub.nsu.ru (8.12.9/8.12.9/Submit) id h5PNOf2I093690; Thu, 26 Jun 2003 06:24:41 +0700 (NSS) Date: Thu, 26 Jun 2003 06:24:41 +0700 From: Max Khon To: Pawel Jakub Dawidek Message-ID: <20030625232441.GC92939@iclub.nsu.ru> References: <20030624164602.GW7587@garage.freebsd.pl> <20030625175225.GS7587@garage.freebsd.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030625175225.GS7587@garage.freebsd.pl> User-Agent: Mutt/1.4.1i X-Envelope-To: nick@garage.freebsd.pl, rwatson@freebsd.org, freebsd-arch@freebsd.org X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=0.13.6.3 X-Spam-Status: No, hits=-106.5 required=5.0 tests=BOGOFILTER_TEST_PASS,EMAIL_ATTRIBUTION,IN_REP_TO, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT,USER_IN_WHITELIST version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: Robert Watson cc: freebsd-arch@freebsd.org Subject: Re: Jailed sysvipc implementation. X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jun 2003 23:26:00 -0000 hi, there! On Wed, Jun 25, 2003 at 07:52:25PM +0200, Pawel Jakub Dawidek wrote: > +> We have some initial patches that wrap the user ipcperm structure in a > +> kernel-specific structure, which we use to add a MAC label. It would be > +> easy to also add a prison pointer. We probably won't get to merging this > +> patch for a couple of weeks, but it's worth keeping in mind. > +> > +> http://www.watson.org/~robert/freebsd/mac_sysvipc.diff > +> > +> This needs style cleanup, bug fixing, testing, etc, but it's the direction > +> we're pushing in for MAC right now. > > Hmm, I'm not sure if I understand patch well, but with this stuff we will > be able to run for example two postgresql servers in diffrent jails? no > Or it only will provide denying specified requests? yes. the goal is to use existing MAC framework to deny access to foreign (from other jail) sysvipc objects. /fjoe