From owner-freebsd-jail@FreeBSD.ORG Fri Jun 5 23:53:54 2015 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6B9DE632 for ; Fri, 5 Jun 2015 23:53:54 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 022A91848 for ; Fri, 5 Jun 2015 23:53:54 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: by wigg3 with SMTP id g3so1086888wig.1 for ; Fri, 05 Jun 2015 16:53:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=Jn0ACdNXrc6YXwu7Xzbw7DFjt1gCBo8wKScg8rA1bAU=; b=yiDePHCz5SEykOm/DVAv3fTlzxQQwAZSSFWKdbwoAeY/OmsQ5unxKs7vOsRgIaQDGc WzOBuisWwHdgVVAO/0GTvs9QgAFWzTXmq7yKEvOwUpLtn6AkK2hh/ClhRifWPSBye+7g +QEZjprmje+gSxAS2MDp3u3entEY4bQJPPsfki3xaS+Ti3kZz5tU+vjvu3ffIhxCamlr DgXcmH3HMp9X2VN5uqfHLmpFToz/KdJLesVPrtgTID1ETpwKXL+PW/y7eyfl0CTSW2/w qxwHPedo4vPGvoosGvtO/5azDMl8wiYKizpGlcAZwRP61R+slIjCgAs7cXY7ewgy5YkU w8/w== X-Received: by 10.180.37.229 with SMTP id b5mr1208171wik.16.1433548432523; Fri, 05 Jun 2015 16:53:52 -0700 (PDT) Received: from dft-labs.eu (n1x0n-1-pt.tunnel.tserv5.lon1.ipv6.he.net. [2001:470:1f08:1f7::2]) by mx.google.com with ESMTPSA id df1sm44920wib.12.2015.06.05.16.53.50 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Fri, 05 Jun 2015 16:53:51 -0700 (PDT) Date: Sat, 6 Jun 2015 01:53:48 +0200 From: Mateusz Guzik To: kikuchan Cc: freebsd-jail@freebsd.org Subject: Re: [patch] separate SysV IPC namespace for jail Message-ID: <20150605235348.GA9965@dft-labs.eu> References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jun 2015 23:53:54 -0000 On Sat, Jun 06, 2015 at 07:24:21AM +0900, kikuchan wrote: > Hello, > > I want to run multiple instances of PostgreSQL with jail. > > Changing UID is not suitable for my case, > so I created a simple patch for stable/10 to separate SysV IPC > namespace for each jail. > > In contrast to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=48471 , > this patch comes with; > - All objects are visible by ipcs(1) whether in jails or not. > - Trying to access the objects beyond the jail will be rejected with EACCES. > - Treat (key_t, prison) pair as the key for a named object. > - Very simple implementation; I just added to check > msqkptr->cred->cr_prison == td->td_ucred->cr_prison, for example. > > Is this approach suitable for FreeBSD kernel? > > If you find it is useful, or bugs, please let me know. > > P.S. > There is no way to know from userland which jails own the objects, so far. > I don't like this approach. I would expect completely separate namespaces. Extending struct prison with relevant pointers and updating the code to look at them is mostly mechanical work, but making it committable requires fixing some deficiencies and answering some questions. First off with the support for multi-level jails, jailing is no longer a privileged operation. There are documented harmless races related to that, but it is unclear if they transform into something serious with sysvipc involved. Single-threading the process for jailing should be fine. Address space can be shared between multiple jails, what happens if such a pair ends up in different jails? Preferably such a scenario would be prohibited to avoid future accidents. What about existing sysvshm mappings when jailing? -- Mateusz Guzik