Date: Fri, 9 Aug 2013 11:00:01 -0400 From: John Baldwin <jhb@freebsd.org> To: freebsd-arch@freebsd.org Cc: Don Lewis <truckman@freebsd.org> Subject: Re: Reliable process tracking Message-ID: <201308091100.02052.jhb@freebsd.org> In-Reply-To: <52045C87.2080203@freebsd.org> References: <201308090301.r7931XDc059355@gw.catspoiler.org> <52045C87.2080203@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday, August 08, 2013 11:05:43 pm Julian Elischer wrote: > On 8/9/13 11:01 AM, Don Lewis wrote: > > On 9 Aug, Julian Elischer wrote: > > > >> I've been pondering the possibility of appending a universe (jail) > >> number to the > >> UIDS, PIDS and various other things. (classes maybe?). > >> > >> It wouldn't have to be everywhere, but ther eare a number of places > >> where comparisons would > >> DTRT if they were comparing "my_jail+my_uid" with "his_jail+his_uid", > >> instead of just the UIDs. > >> It would also help with the "multiple roots" problem, and might > >> simplify some of the current code. > > If that's all you want, then why not just compare > > proc1->p_fd->fd_jdir to proc2->p_fd->fd_jdir > > for the jail check? > > > > > > > because multiple jails can have the same root directory? However, td1->td_ucred->cr_prison == td2->td_ucred->cr_prison would work. OTOH, there are folks looking at considering how to make other types of security tokens work that is needed for better integration with other systems (think remote Windows AD logins or remote Kerberos realms). If you want to pursue this path you should likely talk to Robert Watson, Justin Gibbs, and other folks that they suggest. I think their route is probably a better model for uids/gids. I do think it might make sense to have per-jail namespaces for other things like pids, login classes, etc. -- John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201308091100.02052.jhb>