Date: Thu, 6 Jun 2002 11:42:18 +0300 From: Sergey Lyubka <devnull@uptsoft.com> To: freebsd-doc@freebsd.org Subject: developers-handbook/jail fix Message-ID: <20020606114218.A2194@oasis.uptsoft.com>
next in thread | raw e-mail | index | archive | help
--3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hello, I think it makes sense. thanks, -sergey --3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="developer-handbook.jail.diff" --- chapter.sgml.orig Wed Jun 5 15:32:23 2002 +++ chapter.sgml Wed Jun 5 15:32:06 2002 @@ -302,8 +302,11 @@ structures, &man.fork.2; checks if the structure <literal>p->p_prison</literal> is filled on <literal>p2</literal>. If it is, it increments the - <literal>pr.ref</literal> by one, and sets the - <literal>p_flag</literal> to one on the child process.</para> + <literal>pr.ref</literal> by one, and sets P_JAILED flag in + <literal>p_flag</literal> node. The prison structure, + <literal>pr</literal>, is referenced by all the processes in a same + jail, so reference counter should be incremented after every new + process has been forked, and decremented after process' exit.</para> <programlisting><filename>/usr/src/sys/kern/kern_fork.c</filename>: if (p2->p_prison) { @@ -330,8 +333,10 @@ <title>SysV IPC</title> <para>System V IPC is based on messages. Processes can send each - other these messages which tell them how to act. The functions - which deal with messages are: <literal>msgsys</literal>, + other these messages which tell them how to act. Actually, the + messages are sent and received from a special memory area, + called message queue. Message queue resides in kernel address space. + The functions which deal with messages are: <literal>msgsys</literal>, <literal>msgctl</literal>, <literal>msgget</literal>, <literal>msgsend</literal> and <literal>msgrcv</literal>. Earlier, I mentioned that there were certain sysctls you could @@ -340,23 +345,31 @@ most systems, this sysctl is set to 0. If it were set to 1, it would defeat the whole purpose of having a jail; privleged users from within the jail would be able to affect processes - outside of the environment. The difference between a message - and a signal is that the message only consists of the signal + outside of the environment. </para> + <!-- + The difference between a message + and a signal is that the signal only consists of the signal number.</para> + No. there are much more differences - in generetion, handling and + delivery. For instance, process will not receive a message until + it calls an appropriate function, while signal could be delivered + without any actions from process. Signal cannot be treated as a + message with one data field - signal number. + --> + <para><filename>/usr/src/sys/kern/sysv_msg.c</filename>:</para> <itemizedlist> <listitem> <para>&man.msgget.3;: msgget returns (and possibly - creates) a message descriptor that designates a message queue + creates) a message queue descriptor that designates a message queue for use in other system calls.</para></listitem> <listitem> <para>&man.msgctl.3;: Using this function, a process - can query the status of a message - descriptor.</para></listitem> + can query the status of a message queue.</para></listitem> <listitem> <para>&man.msgsnd.3;: msgsnd sends a message to a - process.</para></listitem> + message queue.</para></listitem> <listitem> <para>&man.msgrcv.3;: a process receives messages using this function</para></listitem> @@ -489,7 +502,8 @@ network layer 2. There are certain precautions which are taken in order to prevent a jailed process from binding a protocol to a certain port only if the <literal>nam</literal> - parameter is set. nam is a pointer to a sockaddr structure, + parameter is set when calling <function>pcbind</function> function. + nam is a pointer to a sockaddr structure, which describes the address on which to bind the service. A more exact definition is that sockaddr "may be used as a template for reffering to the identifying tag and length of --3MwIy2ne0vdjdPXF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020606114218.A2194>