From owner-cvs-all@FreeBSD.ORG  Sun Feb 15 08:34:29 2004
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 060EC16A4E5; Sun, 15 Feb 2004 08:34:29 -0800 (PST)
Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 6BF1943D2F; Sun, 15 Feb 2004 08:34:28 -0800 (PST)
	(envelope-from julian@elischer.org)
Received: from interjet.elischer.org ([24.7.73.28])
          by comcast.net (sccrmhc12) with ESMTP
          id <2004021516342301200nthoee>; Sun, 15 Feb 2004 16:34:27 +0000
Received: from localhost (localhost.elischer.org [127.0.0.1])
	by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id IAA49982;
	Sun, 15 Feb 2004 08:34:22 -0800 (PST)
Date: Sun, 15 Feb 2004 08:34:21 -0800 (PST)
From: Julian Elischer <julian@elischer.org>
To: Robert Watson <rwatson@FreeBSD.org>
In-Reply-To: <Pine.NEB.3.96L.1040215112750.56481A-100000@fledge.watson.org>
Message-ID: <Pine.BSF.4.21.0402150831330.38635-100000@InterJet.elischer.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: cvs-src@FreeBSD.org
cc: src-committers@FreeBSD.org
cc: Pawel Jakub Dawidek <pjd@FreeBSD.org>
cc: cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/kern kern_jail.c
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Feb 2004 16:34:29 -0000



On Sun, 15 Feb 2004, Robert Watson wrote:

> 
> On Sun, 15 Feb 2004, Pawel Jakub Dawidek wrote:
> 
> > On Sat, Feb 14, 2004 at 11:19:48AM -0800, Robert Watson wrote:
> > +>   Commiter:	Robert Watson <rwatson@FreeBSD.org>
> > +>   Branch:	HEAD
> > +> 
> > +>   Files:
> > +> 	1.38   src/sys/kern/kern_jail.c  
> > +> 
> > +>   Log:
> > +>   By default, don't allow processes in a jail to list the set of
> > +>   jails in the system.  Previous behavior (allowed) may be restored
> > +>   by setting security.jail.list_allowed=1.
> > 
> > Are you planning to leave this sysctl?  IMHO the previous behaviour was
> > just bad, this was a bug, and restoring this behaviour shouldn't be
> > permitted.  But if this sysctl is just a temporary solution and will be
> > removed in the future, it is ok (but maybe BURN_BRIDGES should be
> > added?). 
> > 
> > PS. This functionality is quite fresh, I'm not sure if someone started
> >     to depend on it...
> 
> Yeah, the interesting question here is whether it was intentional in the
> first place for a good reason, or just a by-product of the implementation.
> How about we wait three weeks and see if anyone complains on
> freebsd-current about the loss of functionality -- if no one says
> anything, we remove the sysctl?

In scripts I use the fact that "df /" in a jail returns the size of 
some other filesystem to see if I'm in a jail.
I've asked before for a simple sysctl to let me know if I'm in a jail
but the response was generally -ve..
you sometimes need to be able to know you are in a jail so that you can
know not to attempt things that are not permitted in jails..
(e.g. pings, or ifconfig'ing network interfaces)


> 
> Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
> robert@fledge.watson.org      Senior Research Scientist, McAfee Research
> 
> 
>