From owner-freebsd-hackers@FreeBSD.ORG Mon Nov 30 15:14:59 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F645106566B for ; Mon, 30 Nov 2009 15:14:59 +0000 (UTC) (envelope-from freebsd-hackers@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id ED11E8FC08 for ; Mon, 30 Nov 2009 15:14:58 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.50) id 1NF7xo-00033R-T3 for freebsd-hackers@freebsd.org; Mon, 30 Nov 2009 16:14:56 +0100 Received: from lara.cc.fer.hr ([161.53.72.113]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 30 Nov 2009 16:14:56 +0100 Received: from ivoras by lara.cc.fer.hr with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 30 Nov 2009 16:14:56 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-hackers@freebsd.org From: Ivan Voras Date: Mon, 30 Nov 2009 16:14:40 +0100 Lines: 19 Message-ID: References: <20091130142950.GA86528@logik.internal.network> <20091130150127.GA82188@logik.internal.network> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: lara.cc.fer.hr User-Agent: Thunderbird 2.0.0.23 (X11/20090928) In-Reply-To: <20091130150127.GA82188@logik.internal.network> Sender: news Subject: Re: UNIX domain sockets on nullfs still broken? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2009 15:14:59 -0000 xorquewasp@googlemail.com wrote: > On 2009-11-30 15:43:01, Ivan Voras wrote: >> xorquewasp@googlemail.com wrote: >>> 76030 initial thread STRU struct sockaddr { AF_LOCAL, /tmp/jack-11001/default/jack_0 } >>> 76030 initial thread NAMI "/tmp/jack-11001/default/jack_0" >>> 76030 initial thread RET connect -1 errno 61 Connection refused >> I would expect to see this result from the jail since it's obviously a >> Bad Idea, but does it work from the same (host) machine without the jail >> in between (i.e. just the nullfs, no jails)? > > Hm, yes, you're right. It does work without a jail involved. > > What's the sane solution, then, when the only method of communication > is unix domain sockets? It is a security problem. I think the long-term solution would be to add a sysctl analogous to security.jail.param.securelevel to handle this. I don't think there is a workaround right now.