From owner-freebsd-bugs@FreeBSD.ORG Tue Aug 5 06:50:19 2003 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6649637B401 for ; Tue, 5 Aug 2003 06:50:19 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0594443F75 for ; Tue, 5 Aug 2003 06:50:19 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h75DoIUp013895 for ; Tue, 5 Aug 2003 06:50:18 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h75DoIFc013893; Tue, 5 Aug 2003 06:50:18 -0700 (PDT) Date: Tue, 5 Aug 2003 06:50:18 -0700 (PDT) Message-Id: <200308051350.h75DoIFc013893@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Yar Tikhiy Subject: Re: kern/55163: [patch] hide kld system details from jails X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Yar Tikhiy List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 13:50:19 -0000 The following reply was made to PR kern/55163; it has been noted by GNATS. From: Yar Tikhiy To: Dmitry Morozovsky Cc: FreeBSD-gnats-submit@FreeBSD.org Subject: Re: kern/55163: [patch] hide kld system details from jails Date: Tue, 5 Aug 2003 17:44:32 +0400 On Mon, Aug 04, 2003 at 12:26:23PM +0400, Dmitry Morozovsky wrote: > > Well, security thru obscurity is not the best technique ;-) > However, it seems that reveal too much info about host system for jail user, > or even for jail admin, is not always the best. We plan to use it together with > Pawel Jakub Dawidek's jailfsstat kernel module. > > This code path is rare, so no performance problem I think. Any objections? The only objection I can see is that a generalized framework for restricting system interfaces within a jail should be developed instead of sticking in "if (foo_allowed)" everywhere. -- Yar