From owner-freebsd-arch  Sat Jul 15  2: 9:43 2000
Delivered-To: freebsd-arch@freebsd.org
Received: from gateway.posi.net (c1096725-a.smateo1.sfba.home.com [24.20.139.104])
	by hub.freebsd.org (Postfix) with ESMTP
	id D6CC237BACB; Sat, 15 Jul 2000 02:09:37 -0700 (PDT)
	(envelope-from kbyanc@posi.net)
Received: from localhost (kbyanc@localhost)
	by gateway.posi.net (8.9.3/8.9.3) with ESMTP id CAA02202;
	Sat, 15 Jul 2000 02:10:17 -0700 (PDT)
	(envelope-from kbyanc@posi.net)
Date: Sat, 15 Jul 2000 02:10:16 -0700 (PDT)
From: Kelly Yancey <kbyanc@posi.net>
To: Robert Watson <rwatson@FreeBSD.ORG>
Cc: Dan Nelson <dnelson@emsphone.com>,
	Julian Elischer <julian@elischer.org>, Warner Losh <imp@village.org>,
	Adrian Chadd <adrian@FreeBSD.ORG>, freebsd-arch@FreeBSD.ORG
Subject: Re: SysctlFS
In-Reply-To: <Pine.NEB.3.96L.1000714235954.3234A-100000@fledge.watson.org>
Message-ID: <Pine.BSF.4.21.0007150200240.2000-100000@gateway.posi.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sat, 15 Jul 2000, Robert Watson wrote:

> On Fri, 14 Jul 2000, Dan Nelson wrote:
> 
> > Would it be possible to have a symbolic link type that breaks out of a
> > jail?  So you would have a "/myjail/dev ->> /dev" link in the jail that
> > ends up referring to the real /dev.  This would also fix the /proc
> > problem.  You wouldn't want to link /myjail/usr/lib to /usr/lib,
> > though, because the jailed root would be able to modify the binaries,
> > but /dev and /proc seem safe.
> 
> [ snip ]
> 
> You could imagine a light-weight mountpoint technique based on a special
> form of symlink, where the mountpoint is stared in the file system,
> instead of in the kernel mount table.  When such a symlink was hit, it
> would be auto-followed.  This is a lot like the behavior in Coda and AFS,
> where mountpoints are actually symlinks to #volumename, only in that
> environment, the protection model is compatible with that.  You could
> imagine symlinks to specific synthetic file systems, including
> #system.procfs and #system.sysctlfs.  When hit during a namei, it could
> either be turned into a real vnode mountpoint, or follow into a special
> table namespace.
> 
> [ snip ]

  Maybe I am missing something obvious, but wouldn't a mount option to
automatically export a given filesystem to all jails do the trick? Fundamental
filesystems like procfs and devfs would typically be mounted with the option,
while others were left to per-jail individual mounts.
  That is, of course, assuming we had room for more MNT_* flags.

  Kelly

--
Kelly Yancey  -  kbyanc@posi.net  -  Belmont, CA
System Administrator, eGroups.com                  http://www.egroups.com/
Maintainer, BSD Driver Database       http://www.posi.net/freebsd/drivers/
Coordinator, Team FreeBSD        http://www.posi.net/freebsd/Team-FreeBSD/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message