From owner-cvs-all Wed Nov 1 9:58:12 2000 Delivered-To: cvs-all@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 152EA37B4C5; Wed, 1 Nov 2000 09:58:08 -0800 (PST) Received: (from rwatson@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id JAA28087; Wed, 1 Nov 2000 09:58:08 -0800 (PST) (envelope-from rwatson@FreeBSD.org) Message-Id: <200011011758.JAA28087@freefall.freebsd.org> From: Robert Watson Date: Wed, 1 Nov 2000 09:58:08 -0800 (PST) To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/kern kern_jail.c sysv_msg.c sysv_sem.c sysv_shm.c src/sys/sys jail.h X-FreeBSD-CVS-Branch: RELENG_4 Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG rwatson 2000/11/01 09:58:08 PST Modified files: (Branch: RELENG_4) sys/kern kern_jail.c sysv_msg.c sysv_sem.c sysv_shm.c sys/sys jail.h Log: o MFC of System V IPC disabling in jail(): 1.8 +6 -1 src/sys/kern/kern_jail.c 1.26 +17 -1 src/sys/kern/sysv_msg.c 1.29 +14 -1 src/sys/kern/sysv_sem.c 1.49 +20 -1 src/sys/kern/sysv_shm.c 1.10 +2 -1 src/sys/sys/jail.h Log: o Deny access to System V IPC from within jail by default, as in the current implementation, jail neither virtualizes the Sys V IPC namespace, nor provides inter-jail protections on IPC objects. o Support for System V IPC can be enabled by setting jail.sysvipc_allowed=1 using sysctl. o This is not the "real fix" which involves virtualizing the System V IPC namespace, but prevents processes within jail from influencing those outside of jail when not approved by the administrator. Reported by: Paulo Fragoso Revision Changes Path 1.6.2.2 +6 -1 src/sys/kern/kern_jail.c 1.23.2.3 +17 -1 src/sys/kern/sysv_msg.c 1.24.2.4 +14 -1 src/sys/kern/sysv_sem.c 1.45.2.3 +20 -1 src/sys/kern/sysv_shm.c 1.8.2.2 +2 -1 src/sys/sys/jail.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message