From owner-freebsd-hackers@FreeBSD.ORG  Thu Dec 10 09:43:07 2009
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BA5FC106566B;
	Thu, 10 Dec 2009 09:43:07 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 952B08FC1F;
	Thu, 10 Dec 2009 09:43:07 +0000 (UTC)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41])
	by cyrus.watson.org (Postfix) with ESMTPS id 31BF046B0C;
	Thu, 10 Dec 2009 04:43:07 -0500 (EST)
Date: Thu, 10 Dec 2009 09:43:07 +0000 (GMT)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: Ivan Voras <ivoras@freebsd.org>
In-Reply-To: <hf0ngp$cpb$1@ger.gmane.org>
Message-ID: <alpine.BSF.2.00.0912100941010.23303@fledge.watson.org>
References: <20091130142950.GA86528@logik.internal.network>
	<hf0lle$5mk$1@ger.gmane.org>
	<20091130150127.GA82188@logik.internal.network>
	<hf0ngp$cpb$1@ger.gmane.org>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-hackers@freebsd.org
Subject: Re: UNIX domain sockets on nullfs still broken?
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2009 09:43:07 -0000

On Mon, 30 Nov 2009, Ivan Voras wrote:

>> What's the sane solution, then, when the only method of communication is 
>> unix domain sockets?
>
> It is a security problem. I think the long-term solution would be to add a 
> sysctl analogous to security.jail.param.securelevel to handle this.
>
> I don't think there is a workaround right now.

I'm not sure I agree on the above, hence my comments about nullfs and unionfs. 
I see nullfs as intended to provide references (possibly masked to read-only) 
to the same fundamental object, and unionfs to provide independence between 
different consumers that see objects via different file system mounts.  As 
such, I'd expect UNIX domain sockets to "work" for inter-jail communication 
when using nullfs, and "not work" when using unionfs.  It's simply a property 
of the implementation of the linkage between VFS and UNIX domain sockets that 
they are currently both broken (in fact, someone tried to "fix" it with union 
mounts recenty, running into the use-after-free bugs I mentioned, but also 
breaking the semantics in my view).

Robert N M Watson
Computer Laboratory
University of Cambridge