From owner-svn-src-head@FreeBSD.ORG Tue Mar 3 12:00:13 2015 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6C63C8C5; Tue, 3 Mar 2015 12:00:13 +0000 (UTC) Received: from woozle.rinet.ru (woozle.rinet.ru [195.54.192.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DF1E5E57; Tue, 3 Mar 2015 12:00:12 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by woozle.rinet.ru (8.14.5/8.14.5) with ESMTP id t23BtSxC029372; Tue, 3 Mar 2015 14:56:28 +0300 (MSK) (envelope-from marck@rinet.ru) Date: Tue, 3 Mar 2015 14:55:28 +0300 (MSK) From: Dmitry Morozovsky To: Ian Lepore Subject: Re: svn commit: r279361 - in head: sys/kern sys/sys usr.sbin/jail In-Reply-To: <1425327800.1287.7.camel@freebsd.org> Message-ID: References: <201502271628.t1RGSurE067472@svn.freebsd.org> <54F42726.3000602@freebsd.org> <1425327800.1287.7.camel@freebsd.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-NCC-RegID: ru.rinet X-OpenPGP-Key-ID: 6B691B03 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (woozle.rinet.ru [0.0.0.0]); Tue, 03 Mar 2015 14:56:28 +0300 (MSK) Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, Julian Elischer X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Mar 2015 12:00:13 -0000 On Mon, 2 Mar 2015, Ian Lepore wrote: > > > Log: > > > Allow the kern.osrelease and kern.osreldate sysctl values to be set in a > > > jail's creation parameters. This allows the kernel version to be reliably > > > spoofed within the jail whether examined directly with sysctl or > > > indirectly with the uname -r and -K options. > > > [..] > > > > > There is no sanity or range checking, other than disallowing an empty > > > release string or a zero release date, by design. The system > > > administrator is trusted to set sane values. Setting values that are > > > newer than the actual running kernel will likely cause compatibility > > > problems. > > > > > I would think that you could at set time ensure that only older > > releases were allowed.. > > I'm not sure what the rule would be with sub-sub-jails.. older than > > parent, or older than base system..? > > > > > > I am a really really strong believer in giving administrators complete > control of their systems. If they want to do "something stupid" because > it works for them, I'm not going to stop them. Well, what about giving them a hinting warning in such case? -- Sincerely, D.Marck [DM5020, MCK-RIPE, DM3-RIPN] [ FreeBSD committer: marck@FreeBSD.org ] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------