Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 29 Nov 2020 15:41:36 +0000
From:      "Bjoern A. Zeeb" <bz@FreeBSD.org>
To:        "Kyle Evans" <kevans@freebsd.org>
Cc:        "James Gritton" <jamie@freebsd.org>, freebsd-jail <freebsd-jail@freebsd.org>, freebsd-arch@freebsd.org, trustedbsd-discuss@freebsd.org
Subject:   Re: RFC: Jail privsets
Message-ID:  <C9143FB8-FFFE-4757-BE6F-9F2551F5A256@FreeBSD.org>
In-Reply-To: <CACNAnaHrB8q_R2RvQLV_YRYdoD7zAs3-R6szbSD1dSh_-SAB5Q@mail.gmail.com>
References:  <CACNAnaEKoBppjG8HH0KgYQv0EHPUcHmB3teyw1PQrjG3xsbXYQ@mail.gmail.com> <06F654BB-B087-4AE5-8599-E5837A85A850@FreeBSD.org> <CACNAnaGdn4o84UmKfA=m-fWvaUSHj-1zTVsBe9cdZZy0JMzEKg@mail.gmail.com> <6BA03DAD-BDCD-4A53-A80A-4B7B476B803C@FreeBSD.org> <CACNAnaGUEZqg_4WOgZ2zAOCboBGeeOY45ie_PSkVSK=3ct4b0g@mail.gmail.com> <BAD5CA23-A4B6-4C22-B095-F89217476825@FreeBSD.org> <CACNAnaHrB8q_R2RvQLV_YRYdoD7zAs3-R6szbSD1dSh_-SAB5Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 29 Nov 2020, at 15:33, Kyle Evans wrote:

> Sure- I'm not so sure about vnet, but all of the allow flags could get
> deprecated in favor of describing the privs available somewhere and
> letting admin make decisions. I think the vnet set still makes a lot
> of sense unless you're also proposing that we could just create new
> vnets if one of those privileges is turned on -- in which case, we'd
> still have to manage the set, but it wouldn't be used much beyond a
> hint mask that we need to create a vnet.

What I am thinking of is a /etc/defaults/devfs.rules a-like set of privs
describing base, jail, jailvnet and then pick appropriately if the jail
gets created with vnet (though I can imagine some people extending a
default jail set — e.g. for raw sockets — or removing some privs 
from a
vnet jail set).

The tricky bit would be to manage the header file and the text 
description,
but having a default wildcard of “*” or “all” for base would 
probably catch
the most cases.


/bz

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C9143FB8-FFFE-4757-BE6F-9F2551F5A256>