From owner-freebsd-stable@FreeBSD.ORG Sat Sep 27 16:18:41 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B5636231; Sat, 27 Sep 2014 16:18:41 +0000 (UTC) Received: from m2.gritton.org (gritton.org [63.246.134.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 80379FAC; Sat, 27 Sep 2014 16:18:41 +0000 (UTC) Received: from [192.168.0.34] (c-50-168-192-61.hsd1.ut.comcast.net [50.168.192.61]) (authenticated bits=0) by m2.gritton.org (8.14.9/8.14.9) with ESMTP id s8RGId5f005950; Sat, 27 Sep 2014 16:18:39 GMT (envelope-from jamie@gritton.org) Message-ID: <5426E358.9070005@gritton.org> Date: Sat, 27 Sep 2014 10:18:32 -0600 From: James Gritton User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org, "freebsd-stable@FreeBSD.org Stable" Subject: Re: fdescfs patch for working hierarchical jails References: <0B3648E9-21DC-4691-A6A9-26DE2C40947B@verweg.com> <5425BE60.5020900@gritton.org> <0CF6D1D0-0721-4395-8290-C92C91FEA45C@verweg.com> In-Reply-To: <0CF6D1D0-0721-4395-8290-C92C91FEA45C@verweg.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Sep 2014 16:18:41 -0000 On 9/27/2014 6:06 AM, Ruben van Staveren wrote: > Hi James, others, > > On 26 Sep 2014, at 21:28, James Gritton wrote: > >> On 9/25/2014 3:40 AM, Ruben van Staveren wrote: >>> Hi, >>> >>> Could a committer have a look at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192951 ? >>> >>> This enables fdescfs in hierarchical jails, would be nice to have this for 10.1 >>> >>> Thanks! >>> >>> Best Regards, >>> Ruben van Staveren >> This would have to go into current first, and then MFC. Considering >> 10.1 is getting close to release, I suspect it wouldn't be allowed in. > I agree, probably better to do it that way indeed. > >> Also, I'm not sure I'd want to implement this in quite the proposed >> way: it might suffice (from a security viewpoint) to use the existing >> allow.mount.devfs for mounting fdescfs. > Wouldn’t that be misleading? It would be better to mop up the various pseudofses under the monicker allow.mount.pseudofs. My thinking is that fdescfs is practically the same as what devfs already offers - just more descriptors in /dev/fd than the basic three. I can't see why allowing one wouldn't be akin to allowing the other. In fact, I fail to understand why it was made a separate filesystem in the first place. Perhaps someone on the sec team will tell me otherwise when I ask (which I ought to do before forging ahead). - Jamie