Date: Sat, 15 Jul 2000 23:35:36 -0600 From: Warner Losh <imp@village.org> To: Brian Fundakowski Feldman <green@FreeBSD.ORG> Cc: freebsd-arch@FreeBSD.ORG Subject: Re: SysctlFS Message-ID: <200007160535.XAA50733@harmony.village.org> In-Reply-To: Your message of "Sat, 15 Jul 2000 21:14:17 EDT." <Pine.BSF.4.21.0007152020060.877-100000@green.dyndns.org> References: <Pine.BSF.4.21.0007152020060.877-100000@green.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.BSF.4.21.0007152020060.877-100000@green.dyndns.org> Brian Fundakowski Feldman writes: : On Sat, 15 Jul 2000, Warner Losh wrote: : : > In message <Pine.BSF.4.21.0007151907310.877-100000@green.dyndns.org> Brian Fundakowski Feldman writes: : > : On Sat, 15 Jul 2000, Robert Watson wrote: : > : : > : > On Sat, 15 Jul 2000, Brian Fundakowski Feldman wrote: : > : > : > : > > We could create a way for jailed processes to "break out" into the : > : > > canonical name space. This is a description of possible semantics for : > : > : > : > What canonical namespace would that be? : > : : > : Unless you can think of anything else that could possibly be the : > : canonical namespace, struct vnode *rootvnode. : > : > Put another way... : > : > If we have a jail that lives in /foo/bar, and we have ways to : > symboliclly link outside /foo/bar, that's a big problem. : : Why? It's got exactly the same considerations as the "true" root being : able to mount(2) things into a jail or mknod(2). You shouldn't be able to mount thinks in jail or mknod. While in jail, you cannot do a mknod right now. While in jail, you can't do a mount. Creating holes in this scheme makes me extremely nervous. : > Also, you really don't want too many devices in a jail's /dev tree. : > You really wouldn't want devfs for jail unless you could limit it : > severely. And that's going to be hard to write, I think. : : But you could create multiple mounts (instances) of devfs which each : contain a specific subset of the devfs proper and do the "symlink : breakout" accordingly :) An aspect of jail classes, if you will. Why bother with a symlink? Why not have a reference to the real dev_t? Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007160535.XAA50733>