From owner-freebsd-stable@FreeBSD.ORG  Mon Apr  3 19:00:15 2006
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: freebsd-stable@freebsd.org
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 515F316A401
	for <freebsd-stable@freebsd.org>; Mon,  3 Apr 2006 19:00:15 +0000 (UTC)
	(envelope-from deischen@freebsd.org)
Received: from mail.ntplx.net (mail.ntplx.net [204.213.176.10])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 31DD543D45
	for <freebsd-stable@freebsd.org>; Mon,  3 Apr 2006 19:00:13 +0000 (GMT)
	(envelope-from deischen@freebsd.org)
Received: from sea.ntplx.net (sea.ntplx.net [204.213.176.11])
	by mail.ntplx.net (8.13.6/8.13.6/NETPLEX) with ESMTP id k33J0C8m003319; 
	Mon, 3 Apr 2006 15:00:12 -0400 (EDT)
Date: Mon, 3 Apr 2006 15:00:12 -0400 (EDT)
From: Daniel Eischen <deischen@freebsd.org>
X-X-Sender: eischen@sea.ntplx.net
To: Peter Jeremy <peterjeremy@optushome.com.au>
In-Reply-To: <20060403185046.GC683@turion.vk2pj.dyndns.org>
Message-ID: <Pine.GSO.4.43.0604031454030.22397-100000@sea.ntplx.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Virus-Scanned: by AMaViS and Clam AntiVirus (mail.ntplx.net)
Cc: freebsd-stable@freebsd.org
Subject: Re: [HACKERS] semaphore usage "port based"?
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Daniel Eischen <deischen@freebsd.org>
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Apr 2006 19:00:15 -0000

On Tue, 4 Apr 2006, Peter Jeremy wrote:

> On Mon, 2006-Apr-03 08:19:00 -0400, Daniel Eischen wrote:
> >I don't really see what the problem is.  ESRCH seems perfectly
> >reasonable for trying to kill (even sig 0) a process from a
> >different jail.  If you're in a jail, then you shouldn't have
> >knowledge of processes from other jails.
>
> I agree in general.  The problem here is that SysV IPC isn't
> jail-aware - there's a single SysV IPC address space across the
> physical system.  This confuses (eg) postgres because it can
> see the SHM for a postgres instance in another jail but kill(2)
> claims that the process associated with that SHM doesn't exist.
>
> There appear to be two solutions:
> 1) Add a sysctl to change cr_cansignal() and/or prison_check() to
>    make processes visible between jails.
> 2) Change SysV IPC to be jail-aware.
>
> The former is trivial - but has a number of security implications.
> The latter is much harder, there is apparently a RELENG_4 patch in
> kern/48471 but it's not clear how much work would be necessary to
> being it up to scratch.

Or:

  3) Run postgres in such a way that it doesn't look for
     remnant IPC information from other instances (use a
     per-jail-specific port #?).

Postgres has no business cleaning up after different jailed
instances of itself, which it wouldn't do if IPC's were
per-jail.  So since IPC's don't currently work that way,
account for it by the way you run postgres.

-- 
DE