Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 04 Apr 2006 13:04:01 +0200
From:      Koen Martens <fbsd@metro.cx>
To:        Robert Watson <rwatson@freebsd.org>
Cc:        Peter Jeremy <peterjeremy@optushome.com.au>, freebsd-current@freebsd.org, freebsd-stable@freebsd.org
Subject:   Re: new feature: private IPC for every jail
Message-ID:  <443252A1.8000704@metro.cx>
In-Reply-To: <20060404112938.G76562@fledge.watson.org>
References:  <20060403003318.K947@ganymede.hub.org>	<20060403163220.F36756@fledge.watson.org>	<20060404100750.GG683@turion.vk2pj.dyndns.org> <20060404112938.G76562@fledge.watson.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Robert Watson wrote:
>
> Hmm.  This sounds like it might be workable.  To make sure I understand
> your proposal:
> 
> - We add a new prison ID field to the in-kernel description of each
> segment,
>   semaphore, message queue, etc.  This is initialized to the prison ID
> of the
>   process creating the object at the time of creation.
> 
> - shmget(), et al, will, in addition to matching the key when searching
> for an
>   existing object, will also attempt to match the prison ID of the
> object to
>   the process.  For the sake of completeness, we will use prison ID 0 for
>   unjailed processes (or something along those lines).  This guarantees
> that
>   two jails, or even the host and a jail, will never receive an ID already
>   allocated to another jail, and in particular, not an ID for an object
> from
>   another jail with the same key as might be used in the current jail.
> 
> - shmat(), et al, will perform an access control check to confirm that if a
>   process is jailed, its prison ID matches that of the object.
> 
> Is it necessary, as you suggest, to change the IPC ID name space at
> all?  I assume applications do consistently use shmget() to look up IDs,
> and that they can't/don't make assumptions about long-term persistence
> of those mappings across boot (which is effectively what a jail restart
> is?  Is the behavior of IPXSEQ_TO_IPCID() something that has documented
> or relied on properties, or are we free to perform a mapping from a name
> (key) to an object (id) in any way we choose?
> 
> I guess another change is also needed:
> 
> - At jail termination, we GC all resources with the prison ID in question.
> 
> This prevents a future jail from turning up with the same ID and seeing
> old shared memory (etc) segments.

FWIW, I already implemented this once for 5.x a while back, but
abandoned the project due to lack of time back then. If no-one else
is going to pick this up, i might try and dig up that code again,
and port it to 6.x, since this feature is still quite high on my
wish list..

Best,

Koen

-- 
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, hosting, embedded systems, unix, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?443252A1.8000704>