Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 16 Feb 2007 11:32:14 +0100
From:      Jeremie Le Hen <jeremie@le-hen.org>
To:        Josef Karthauser <joe@FreeBSD.org>
Cc:        hackers@freebsd.org, fs@freebsd.org
Subject:   Re: nullfs and named pipes.
Message-ID:  <20070216103214.GW64768@obiwan.tataz.chchile.org>
In-Reply-To: <20070215152259.GA2950@genius.tao.org.uk>
References:  <20070204023711.GA3393@genius.tao.org.uk> <20070215135750.GR64768@obiwan.tataz.chchile.org> <20070215152259.GA2950@genius.tao.org.uk>
next in thread | previous in thread | raw e-mail | index | archive | help 
Josef,

On Thu, Feb 15, 2007 at 03:22:59PM +0000, Josef Karthauser wrote:
> On Thu, Feb 15, 2007 at 02:57:50PM +0100, Jeremie Le Hen wrote:
> > 
> > Note that all processes within a jail can only intefere with processes
> > from another jail or host as if they were on different machines.  This
> > means they can communicate through PF_INET for instance but not
> > PF_LOCAL.
> > 
> 
> [...]
> 
> So how does this relate to jails?
> 
> The point of using nullfs is to make a PF_LOCAL socket appear local
> even in the jail(!).  Using the patch above this is indeed the case
> and as far as the jail is concerned the socket is indeed local,
> meaning that a process within a jail can talk via it to a process
> on the host environment with no restrictions.  This is crucially
> important for mysql for instance as there is significant overhead
> associated with PF_INET connections which can be avoided by talking
> to PF_LOCAL sockets.

I was wrong, you are right.  I was pretty sure the kernel retained
the credentials of the listening process and that trying to connect
to the latter using a process that has a mismatching jail ID would
fail.

On term #1:
% jarjarbinks:~:103# nc -U -l /usr/space/chroot/tmp/mysock

On term #2:
% jarjarbinks:/usr/src:102# echo "I won't speak before testing" | jail /usr/space/chroot test 192.168.1.3 /usr/bin/nc -U /tmp/mysock

On term #1!
% I won't speak before testing


Sorry for the noise.  At least, I rekindled the thread :-).
Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070216103214.GW64768>