Date: Sun, 7 Jan 2001 12:07:57 -0500 (EST) From: Robert Watson <rwatson@FreeBSD.org> To: Evan S <kaworu@sektor7.ath.cx> Cc: Kris Kennaway <kris@FreeBSD.org>, freebsd-security@FreeBSD.org Subject: Re: changing kernsecurelevel Message-ID: <Pine.NEB.3.96L.1010107120424.27948F-100000@fledge.watson.org> In-Reply-To: <Pine.GSO.4.10.10101071151580.5155-100000@wintermute.sekt7>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 7 Jan 2001, Evan S wrote: > Mm, Openroot runs on -CURRENT, and users are able to apply those flags > to files. But, I made a little patch, and it seems to work. They're not > able to do it anymore. Aha. They can add, but not remove, right? That probably should be changed -- feel free to e-mail me a patch and I'll apply as appropriate. > Other than that I'm happy with the way Jail works. The above was the > only problem I had. Great. Contributions in this space are always welcome :-). There is a patch in the PR database, btw, that deals with another problem with jail() that you might potentially run into: resource limits are currently global in scope, and not per-jail(). This has positive and negative aspects, and the patch doesn't address all of the problems that need to be addressed, I believe. Really, we'd like to have per-jail resource limits, and then within that scope per-uid-per-jail limits. However, the current resource mechanism is not structured to support this. I believe the patch addresses the per-uid-per-jail aspect, but does not allow the host administrator to specify per-jail limits to bound the resources allocated to a particular jail. With the gradual cleanup of credentials and resources limit structures, as well as a possible eventual move of the jail pointer into ucred or pcred, this problem will probably be more easily addressed. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010107120424.27948F-100000>