Date: Fri, 7 Jun 2002 06:21:35 -0700 (PDT) From: Sergey Lyubka <devnull@uptsoft.com> To: freebsd-gnats-submit@FreeBSD.org Subject: docs/38982: developers-hanbook/Jail fix Message-ID: <200206071321.g57DLZ9r099889@www.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 38982
>Category: docs
>Synopsis: developers-hanbook/Jail fix
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-doc
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Fri Jun 07 06:30:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Sergey Lyubka
>Release: FreeBSD4.6-RC
>Organization:
Asita Technologies Int.
>Environment:
FreeBSD yoda.asitatech.ie 4.6-RC FreeBSD 4.6-RC #7: Thu May 23 15:08:05 GMT 2002 root@yoda.asitatech.ie:/usr/obj/usr/src/sys/DEVNULL i386
>Description:
few inaccuracies found
>How-To-Repeat:
>Fix:
--- chapter.sgml.orig Wed Jun 5 15:32:23 2002
+++ chapter.sgml Wed Jun 5 15:32:06 2002
@@ -302,8 +302,11 @@
structures, &man.fork.2; checks if the structure
<literal>p->p_prison</literal> is filled on
<literal>p2</literal>. If it is, it increments the
- <literal>pr.ref</literal> by one, and sets the
- <literal>p_flag</literal> to one on the child process.</para>
+ <literal>pr.ref</literal> by one, and sets P_JAILED flag in
+ <literal>p_flag</literal> node. The prison structure,
+ <literal>pr</literal>, is referenced by all the processes in a same
+ jail, so reference counter should be incremented after every new
+ process has been forked, and decremented after process' exit.</para>
<programlisting><filename>/usr/src/sys/kern/kern_fork.c</filename>:
if (p2->p_prison) {
@@ -330,8 +333,10 @@
<title>SysV IPC</title>
<para>System V IPC is based on messages. Processes can send each
- other these messages which tell them how to act. The functions
- which deal with messages are: <literal>msgsys</literal>,
+ other these messages which tell them how to act. Actually, the
+ messages are sent and received from a special memory area,
+ called message queue. Message queue resides in kernel address space.
+ The functions which deal with messages are: <literal>msgsys</literal>,
<literal>msgctl</literal>, <literal>msgget</literal>,
<literal>msgsend</literal> and <literal>msgrcv</literal>.
Earlier, I mentioned that there were certain sysctls you could
@@ -340,23 +345,31 @@
most systems, this sysctl is set to 0. If it were set to 1, it
would defeat the whole purpose of having a jail; privleged
users from within the jail would be able to affect processes
- outside of the environment. The difference between a message
- and a signal is that the message only consists of the signal
+ outside of the environment. </para>
+ <!--
+ The difference between a message
+ and a signal is that the signal only consists of the signal
number.</para>
+ No. there are much more differences - in generetion, handling and
+ delivery. For instance, process will not receive a message until
+ it calls an appropriate function, while signal could be delivered
+ without any actions from process. Signal cannot be treated as a
+ message with one data field - signal number.
+ -->
+
<para><filename>/usr/src/sys/kern/sysv_msg.c</filename>:</para>
<itemizedlist>
<listitem> <para>&man.msgget.3;: msgget returns (and possibly
- creates) a message descriptor that designates a message queue
+ creates) a message queue descriptor that designates a message queue
for use in other system calls.</para></listitem>
<listitem> <para>&man.msgctl.3;: Using this function, a process
- can query the status of a message
- descriptor.</para></listitem>
+ can query the status of a message queue.</para></listitem>
<listitem> <para>&man.msgsnd.3;: msgsnd sends a message to a
- process.</para></listitem>
+ message queue.</para></listitem>
<listitem> <para>&man.msgrcv.3;: a process receives messages using
this function</para></listitem>
@@ -489,7 +502,8 @@
network layer 2. There are certain precautions which are
taken in order to prevent a jailed process from binding a
protocol to a certain port only if the <literal>nam</literal>
- parameter is set. nam is a pointer to a sockaddr structure,
+ parameter is set when calling <function>pcbind</function> function.
+ nam is a pointer to a sockaddr structure,
which describes the address on which to bind the service. A
more exact definition is that sockaddr "may be used as a
template for reffering to the identifying tag and length of
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206071321.g57DLZ9r099889>