Date: Tue, 5 Aug 2003 07:30:14 -0700 (PDT) From: Dmitry Morozovsky <marck@rinet.ru> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/55163: [patch] hide kld system details from jails Message-ID: <200308051430.h75EUEtm018903@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/55163; it has been noted by GNATS. From: Dmitry Morozovsky <marck@rinet.ru> To: Yar Tikhiy <yar@FreeBSD.org> Cc: FreeBSD-gnats-submit@FreeBSD.org Subject: Re: kern/55163: [patch] hide kld system details from jails Date: Tue, 5 Aug 2003 18:22:53 +0400 (MSD) On Tue, 5 Aug 2003, Yar Tikhiy wrote: YT> > Well, security thru obscurity is not the best technique ;-) YT> > However, it seems that reveal too much info about host system for jail user, YT> > or even for jail admin, is not always the best. We plan to use it together with YT> > Pawel Jakub Dawidek's jailfsstat kernel module. YT> > YT> > This code path is rare, so no performance problem I think. Any objections? YT> YT> The only objection I can see is that a generalized framework for YT> restricting system interfaces within a jail should be developed YT> instead of sticking in "if (foo_allowed)" everywhere. In general I do agree; however, as far as I can see, in 5.x this functionality *is* being developed in general way via MAC, which has no chances to be back-ported; secondly, due to limited lifetime frame of 4.x branch, the process of general development would not be successful => I suppose band-aid with if(xxx_allowed) would be appropriate to achieve desired functionality. Well, as there are objections, I suppose the discussion should be moved to -stable@ ? Sincerely, D.Marck [DM5020, MCK-RIPE, DM3-RIPN] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308051430.h75EUEtm018903>