Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 10 Sep 2025 14:12:59 -0700
From:      James Gritton <jamie@freebsd.org>
To:        Konstantin Belousov <kostikbel@gmail.com>
Cc:        src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org
Subject:   Re: git: 851dc7f859c2 - main - jail: add jail descriptors
Message-ID:  <5581284543566ead0e0aea27b6e11dbf@freebsd.org>
In-Reply-To: <aME-zM4Qbtl6efiR@kib.kiev.ua>
References:  <202509042031.584KVpxY000408@gitrepo.freebsd.org> <aLokHDP-EMa1LR0D@kib.kiev.ua> <da6b56365c188ce55bb4e878636bc911@freebsd.org> <aLpxozYUfi_S-U7b@kib.kiev.ua> <2f66c886ab44aea5ad2e57cc72c03e3f@freebsd.org> <aLzRSTtSdzSJ5tOn@kib.kiev.ua> <24a1f2413af24eea3fb5e9be9c05c4bd@freebsd.org> <aME-zM4Qbtl6efiR@kib.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 2025-09-10 02:03, Konstantin Belousov wrote:
> First, since you already mentioned a desire to capsicumize jfds, I 
> think it
> is already a huge wart in the interface.  The function that opens (or
> creates) fd from a jail id, must not take just jail.  It should be
> namespace-aware already.  In other words, it should take existing jfd
> and create a child jail, returning jfd for it.  The existing jfd gives
> the namespace container to start with, which is essentially how 
> capsicum
> is organizing the rights limiting.
> 
> For the bootstrapping, the prison0 non-capentered process can pass a 
> special
> id for jfd to reference prison0, similar how AT_FWCWD marks '.' for 
> *at(2)
> syscalls.

The current jaildesc code is namespace-aware, via the JAIL_AT_DESC
flag.  So if you have a descriptor for jail "foo" and you create
"bar", you end up creating "foo.bar" just as you would if you were
already attached to jail "foo".  Similarly, if you look up by jid,
it only works when that jail is a descendant of "foo".

Yes, getting jid 0 makes sense for bootstrapping - it already means
"the current jail" in other contexts.  The resulting descriptor would
be flagged as only for JAIL_AT_DESC use, without the ability to
modify, remove, or attach to it, regardless of whether capsicum is
enabled.

- Jamie

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5581284543566ead0e0aea27b6e11dbf>