Date: Sat, 21 Oct 2017 18:55:34 -0400 From: Allan Jude <allanjude@freebsd.org> To: Steven Hartland <steven.hartland@multiplay.co.uk>, Steve Wills <swills@freebsd.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r318751 - in head/sys: kern sys Message-ID: <96e0c0bc-eb9c-2ffa-9216-88678d0e8730@freebsd.org> In-Reply-To: <CAHEMsqZr4heWmJ2R-v=ct4dAvmj6rveZ4=5wNaaMz_=%2BKNNnOQ@mail.gmail.com> References: <201705231659.v4NGxOB8013882@repo.freebsd.org> <c156a912-6305-4cc4-261c-5545742d9801@freebsd.org> <CAHEMsqZr4heWmJ2R-v=ct4dAvmj6rveZ4=5wNaaMz_=%2BKNNnOQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --vFwxUcvivvD2ITOrruoMDvRPtSs8gM853 Content-Type: multipart/mixed; boundary="8Xp2jf0tca3I9Jr5Uw22UMCA17XsgC2al"; protected-headers="v1" From: Allan Jude <allanjude@freebsd.org> To: Steven Hartland <steven.hartland@multiplay.co.uk>, Steve Wills <swills@freebsd.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Message-ID: <96e0c0bc-eb9c-2ffa-9216-88678d0e8730@freebsd.org> Subject: Re: svn commit: r318751 - in head/sys: kern sys References: <201705231659.v4NGxOB8013882@repo.freebsd.org> <c156a912-6305-4cc4-261c-5545742d9801@freebsd.org> <CAHEMsqZr4heWmJ2R-v=ct4dAvmj6rveZ4=5wNaaMz_=+KNNnOQ@mail.gmail.com> In-Reply-To: <CAHEMsqZr4heWmJ2R-v=ct4dAvmj6rveZ4=5wNaaMz_=+KNNnOQ@mail.gmail.com> --8Xp2jf0tca3I9Jr5Uw22UMCA17XsgC2al Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 2017-10-21 18:45, Steven Hartland wrote: > Personally I hate that idea as like being able to see all the processes= > from the host. >=20 > I have a similar hate of Linux containers where you have to jump though= > hoops just to see whats really happening on the host. >=20 > On Sat, 21 Oct 2017 at 20:29, Allan Jude <allanjude@freebsd.org > <mailto:allanjude@freebsd.org>> wrote: >=20 > On 2017-05-23 12:59, Steve Wills wrote: > > Author: swills (ports committer) > > Date: Tue May 23 16:59:24 2017 > > New Revision: 318751 > > URL: https://svnweb.freebsd.org/changeset/base/318751 > > > > Log: > >=C2=A0 =C2=A0Add security.bsd.see_jail_proc > > > >=C2=A0 =C2=A0Add security.bsd.see_jail_proc sysctl to hide jail pr= ocesses > from non-root > >=C2=A0 =C2=A0users > > > >=C2=A0 =C2=A0Reviewed by:=C2=A0 =C2=A0 =C2=A0 =C2=A0 jamie > >=C2=A0 =C2=A0Approved by:=C2=A0 =C2=A0 =C2=A0 =C2=A0 allanjude > >=C2=A0 =C2=A0Relnotes:=C2=A0 =C2=A0yes > >=C2=A0 =C2=A0Differential Revision:=C2=A0 =C2=A0 =C2=A0 https://re= views.freebsd.org/D10770 > > > I user was asking about this issue on IRC today. >=20 > I think I have changed my mind a bit. >=20 > I think we should make the default be off (so you can't see process= es in > a jail from the host) by default in 12. >=20 > And that we should MFC this sysctl to stable/11, but not change the= > default behaviour there. >=20 > Anyone else have thoughts? >=20 > -- > Allan Jude >=20 Note: this does NOT change root's ability to see the processes in the jai= l. I just stops uid 1001 on the host, from using the processes owned by uid 1001 in each jail, even in the presence of: security.bsd.see_other_uids=3D= 0 --=20 Allan Jude --8Xp2jf0tca3I9Jr5Uw22UMCA17XsgC2al-- --vFwxUcvivvD2ITOrruoMDvRPtSs8gM853 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJZ69BpAAoJEBmVNT4SmAt+WlcQAJqY8JjmmRdNCFgE5fNKwjyc Lvur8LvuNljn0R8v8CRDHdUdWaLBN82T7B8mztLmyuCTCl6HHgE5dKzzHcA7/Arb PPqoXMsN4rBkVKDbuWcbhRSAsZf1EQpUT7BHQLSPt9MyNmlUR+e55/LpbKNhRi3s nZWzg7H9nmVoDTl3mp+ALujI6c9uAAXQVtrji+K3RX+pNaUfp528jEjsqRg49+wq amrlJrkZSemzwPeIG76g6lLAe628SpVZ21cSPi+qI6ZgfL9ZSN+qN8k0VR6sNFSC LSn/IlG2Vrgdw4Fn40mNlvjp7oT4MQao3nPCvuB+MGYjopJ9txNxGBct5mVn/UjE 7nBV7DBFVxA3qny11nodsSCzPP9BIAeCh99jH338AbEeoqd6rI2plgz3KxVhjoKQ b4ISAwzgi6ag8mjaAE/RU0WkjTTMLg8Oy2RaHzWAWCwV++dFDpiSZHP8hFZnQPYj iLtFNQ2EdxbnpcLmC0MT83X6ZxzS8rRbnfe60gZndClRZEyOdhO3qK4LsXNt6KnZ 3MupgA13F+8L81Z4fWNVH6IeEQQjFENplmw5E7Zk0HUUJE84vFbc/g/Xx6p2usyn iKgibaFYpmOx80DrC9MT+lDtM3Kg0EuB8hLwL25ZJyB2GTwVyW1fVLMjJKKnnRvk c+gMHESAJIGLWWvSLCLp =PBL/ -----END PGP SIGNATURE----- --vFwxUcvivvD2ITOrruoMDvRPtSs8gM853--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?96e0c0bc-eb9c-2ffa-9216-88678d0e8730>