From owner-freebsd-current@FreeBSD.ORG Fri May 21 02:41:22 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 510FD16A4CE; Fri, 21 May 2004 02:41:22 -0700 (PDT) Received: from darkness.comp.waw.pl (darkness.comp.waw.pl [195.117.238.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6AB043D41; Fri, 21 May 2004 02:41:21 -0700 (PDT) (envelope-from pjd@darkness.comp.waw.pl) Received: by darkness.comp.waw.pl (Postfix, from userid 1009) id 399CCACAF8; Fri, 21 May 2004 11:41:19 +0200 (CEST) Date: Fri, 21 May 2004 11:41:19 +0200 From: Pawel Jakub Dawidek To: Ruslan Ermilov Message-ID: <20040521094119.GB845@darkness.comp.waw.pl> References: <20040520220145.GN4567@genius.tao.org.uk> <20040521080218.GY845@darkness.comp.waw.pl> <20040521081419.GB89262@cell.sick.ru> <20040521090217.GB57989@ip.net.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="V0UVtYtGm5R6mXNF" Content-Disposition: inline In-Reply-To: <20040521090217.GB57989@ip.net.ua> User-Agent: Mutt/1.4.2i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 5.2.1-RC2 i386 cc: Josef Karthauser cc: Gleb Smirnoff cc: freebsd-current@freebsd.org Subject: Re: Call for a hacker.... security.bsd.see_other_uids in jails only X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 May 2004 09:41:22 -0000 --V0UVtYtGm5R6mXNF Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 21, 2004 at 12:02:17PM +0300, Ruslan Ermilov wrote: +> I like the idea of per-jail sysctl MIB trees, e.g.: +>=20 +> jail..security.bsd +>=20 +> When jail gets created, the generic sysctl code would traverse +> the primary sysctl tree (excluding the jail. subtree), and copy +> and attach those that have some jail-related flag to the +> jail.. branch. +>=20 +> Inside the jail, jail..security.bsd branch would map to +> just security.bsd. +>=20 +> The generic sysctl code, when it detects it's run within a +> jail, will find a sysctl node "foo.bar", and if it has a +> jail-clone flag set, will remap a query to jail..foo.bar. +>=20 +> Whether it's allowed to change a particular sysctl inside +> a jail is another matter. There are two main issues with our current sysctls implementation: 1. We cannot hide sysctls/sysctl-trees. 2. We're operating in most cases on integers. We can work on 1, but we can't hack 2 easly, we have to transform sysctls, that have to be treated on per-jail basics from SYSCTL_INT to SYSCTL_PROC and if so, I'm not sure what for do we need security.jail. trees then. We can implement them in the same way security.jail.jailed is impelemented (it shows different value outside a jail and different inside) and if we want to change it: # jexec /sbin/sysctl =3D Of course, there could be no /sbin/sysctl utility inside a jail, but I'll still suggest to add '-j' option to sysctl command to work just like 'killall -j' (i.e. jail_attach(); sysctl();). --=20 Pawel Jakub Dawidek http://www.FreeBSD.org pjd@FreeBSD.org http://garage.freebsd.pl FreeBSD committer Am I Evil? Yes, I Am! --V0UVtYtGm5R6mXNF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFArc6/ForvXbEpPzQRAtt2AKCNwz2sEkd7hhSFDEisVk197oQE0ACZARb5 P9t57jlnz3s1+O5v1tg/20M= =A/+t -----END PGP SIGNATURE----- --V0UVtYtGm5R6mXNF--