From owner-freebsd-hackers Sat Sep 25 6:34:47 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id BEA4D14C99; Sat, 25 Sep 1999 06:34:41 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id PAA11746; Sat, 25 Sep 1999 15:34:32 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Alexander Bezroutchko Cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: about jail In-reply-to: Your message of "Sat, 25 Sep 1999 17:17:12 +0400." <19990925171712.A80535@zenon.net> Date: Sat, 25 Sep 1999 15:34:31 +0200 Message-ID: <11744.938266471@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message <19990925171712.A80535@zenon.net>, Alexander Bezroutchko writes: >* ping, traceroute doesn't work due to lack of permissionis to create icmp socket. > I think it is simple to make workaround for such problems: > create a daemon listening on a unix domain socket for request from a jail. > Daemon will take request and the pid of requesting process, validate it, > process and return answer to client. That would work. >* only one IP address is available in jail > It is acceptable limitation, but some daemons would like to use localhost > address (127.0.0.1). 127.0.0.1 is mapped to the jail address. telnet localhost does what you'd expect it to. >* whole kernel MIB is readable, and kern.hostname is writable from jail > I think we should restrict information about system available from jail -- > leave readable only data required for proper work of libc > functions like gethostname,getpagesize,sysconf, etc. kern.hostname only writes the name for that jail. > If we leave kern.hostname writable from jail, we should > add new field to `struct jail', say `jailname'. It's called "p_prison->pr_host" and it was there from day #1. > And > /proc//status must show this value. It already does. >* scheduling > Scheduler must provide equal time quantum to each jail. I think > something like "fair share scheduler" required. Is there any plans > to implement such scheme in FreeBSD ? Not from me. >* resource limits > Current resource limit scheme does not provide enough isolation of jails. no plans. >* it is possible to escape from jail > Following program escapes from jail (tested under 4.0-19990918-CURRENT): You're right, I've overlooked that one. Will fix. >Does anybody already encountered and solved problems described above >or have an ideas ? No, this is the first one I've heard about. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message