Date: Tue, 09 Nov 1999 12:54:45 +0900 From: Yoshinobu Inoue <shin@nd.net.fujitsu.co.jp> To: freebsd-hackers@freebsd.org, freebsd-security@FreeBSD.ORG Subject: Should jail treat ip-number? Message-ID: <19991109125445E.shin@nd.net.fujitsu.co.jp>
next in thread | raw e-mail | index | archive | help
Hello,
I have some concern about jail, and would like to discuss them.
Currentlly jail set an ip-number and let prisoned processes
only to bind it.
My concerns are,
(1)When IPv6 is added to the system, more general id would be
desirable.
(2)What is the goal of the restriction?
If physical level access protection is wanted,
then specifing interface name is more general and certain
way of achieving it.
(Because when that ip-number is replaced to another
network interface, then the restriction also will move on
it)
If some virtual network level protection is wanted,
then specifying ip-number is suitable, but I think more
general id should be used such as a pointer to a sockaddr.
I think kernel change will not so much for any above addition
or changes, but there will be some backword compatibility
issue for API. (some member addition to the jail structure,
and jail command extensions)
Yoshinobu Inoue
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991109125445E.shin>