From owner-freebsd-hackers@FreeBSD.ORG  Tue Dec  1 15:22:04 2009
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5A564106568D;
	Tue,  1 Dec 2009 15:22:04 +0000 (UTC)
	(envelope-from linda.messerschmidt@gmail.com)
Received: from mail-fx0-f218.google.com (mail-fx0-f218.google.com
	[209.85.220.218])
	by mx1.freebsd.org (Postfix) with ESMTP id C00AC8FC12;
	Tue,  1 Dec 2009 15:22:03 +0000 (UTC)
Received: by fxm10 with SMTP id 10so4175004fxm.14
	for <multiple recipients>; Tue, 01 Dec 2009 07:22:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:in-reply-to:references
	:date:message-id:subject:from:to:cc:content-type;
	bh=ZlVk5vPIJIJFUjWA3kWoSdVA2QEK26kSQvE3bRa12+g=;
	b=AtAC1YQghR9a4cseMOKDVpwYftBc7a/SUf+MQ42mnZgfpZFSQNrszw9xdmWAIXh6ud
	5bcVV6t6qyirSQSs87UqwwlPJtvIZDM6bhren9ja89uQDSaGw24rAuMSUyJ+G+baLIfA
	v9PajZf9RIJ3LaNx4g1fAtWjt79xe4gLny97M=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	b=aov8cfHlx733EMnevnHQ0qnhfnLuDwwcizM8CD5T7/J6TUxgqdF88+LE6QOS82A42Z
	hREZZz1Im1e8/alVgEdLsVNWJQO1citPQNahY5ypCim6SfB8XMWW+ROefPx9MDpvxeV4
	GO2uVyj+E3aV0YXQzTPxf+EJRF8m8XMf2CA8U=
MIME-Version: 1.0
Received: by 10.216.89.6 with SMTP id b6mr2097949wef.100.1259680922851; Tue, 
	01 Dec 2009 07:22:02 -0800 (PST)
In-Reply-To: <hf0ngp$cpb$1@ger.gmane.org>
References: <20091130142950.GA86528@logik.internal.network>
	<hf0lle$5mk$1@ger.gmane.org>
	<20091130150127.GA82188@logik.internal.network>
	<hf0ngp$cpb$1@ger.gmane.org>
Date: Tue, 1 Dec 2009 10:22:02 -0500
Message-ID: <237c27100912010722g2f6c4647ga82370284bc26e20@mail.gmail.com>
From: Linda Messerschmidt <linda.messerschmidt@gmail.com>
To: Ivan Voras <ivoras@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
Cc: freebsd-hackers@freebsd.org
Subject: Re: UNIX domain sockets on nullfs still broken?
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2009 15:22:04 -0000

On Mon, Nov 30, 2009 at 10:14 AM, Ivan Voras <ivoras@freebsd.org> wrote:
>> What's the sane solution, then, when the only method of communication
>> is unix domain sockets?
>
> It is a security problem. I think the long-term solution would be to add a
> sysctl analogous to security.jail.param.securelevel to handle this.

Out of curiosity, why is allowing accessing to a Unix domain socket in
a filesystem to which a jail has explicitly been allowed access more
or less secure than allowing access to a file or a devfs node in a
filesystem to which a jail has explicitly been allowed access?