Date: Sat, 27 Sep 2014 10:18:32 -0600 From: James Gritton <jamie@gritton.org> To: freebsd-jail@freebsd.org, "freebsd-stable@FreeBSD.org Stable" <freebsd-stable@freebsd.org> Subject: Re: fdescfs patch for working hierarchical jails Message-ID: <5426E358.9070005@gritton.org> In-Reply-To: <0CF6D1D0-0721-4395-8290-C92C91FEA45C@verweg.com> References: <0B3648E9-21DC-4691-A6A9-26DE2C40947B@verweg.com> <5425BE60.5020900@gritton.org> <0CF6D1D0-0721-4395-8290-C92C91FEA45C@verweg.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/27/2014 6:06 AM, Ruben van Staveren wrote: > Hi James, others, > > On 26 Sep 2014, at 21:28, James Gritton <jamie@gritton.org> wrote: > >> On 9/25/2014 3:40 AM, Ruben van Staveren wrote: >>> Hi, >>> >>> Could a committer have a look at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192951 ? >>> >>> This enables fdescfs in hierarchical jails, would be nice to have this for 10.1 >>> >>> Thanks! >>> >>> Best Regards, >>> Ruben van Staveren >> This would have to go into current first, and then MFC. Considering >> 10.1 is getting close to release, I suspect it wouldn't be allowed in. > I agree, probably better to do it that way indeed. > >> Also, I'm not sure I'd want to implement this in quite the proposed >> way: it might suffice (from a security viewpoint) to use the existing >> allow.mount.devfs for mounting fdescfs. > Wouldn’t that be misleading? It would be better to mop up the various pseudofses under the monicker allow.mount.pseudofs. My thinking is that fdescfs is practically the same as what devfs already offers - just more descriptors in /dev/fd than the basic three. I can't see why allowing one wouldn't be akin to allowing the other. In fact, I fail to understand why it was made a separate filesystem in the first place. Perhaps someone on the sec team will tell me otherwise when I ask (which I ought to do before forging ahead). - Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5426E358.9070005>