Date: Wed, 25 Apr 2001 12:26:57 -0700 (PDT) From: Matt Dillon <dillon@earth.backplane.com> To: Poul-Henning Kamp <phk@critter.freebsd.dk> Cc: hackers@freebsd.org Subject: Re: Idea for additional feature for jail - jailed security level Message-ID: <200104251926.f3PJQvM41527@earth.backplane.com> References: <74643.988226120@critter>
next in thread | previous in thread | raw e-mail | index | archive | help
:
:In message <200104251904.f3PJ4xP41049@earth.backplane.com>, Matt Dillon writes:
:> I just had an idea... allow the kernel security level to be specified
:> for a jailed environment. Add a 'securelevel' field to the jail
:> structure and bump the API rev.
:
:That would be trivial to do, but I thought that securelevels were
:demed "nice proof of concept but not the right way" ?
:
:--
:Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
Oh, also we would enforce increasing the secure level only... so when
you run a jail the minimum securelevel is the current securelevel. And
the global sysctl securelevel would still exist and override everything,
but now it is possible to leave it at -1 and run most system services
(including sshd) at a higher secure level inside a jail, leaving only
the init-run getty's running at securelevel -1.
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104251926.f3PJQvM41527>