From owner-freebsd-hackers Mon Nov 8 19:54:23 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from fgwmail2.fujitsu.co.jp (fgwmail2.fujitsu.co.jp [192.51.44.32]) by hub.freebsd.org (Postfix) with ESMTP id D9CE114E54; Mon, 8 Nov 1999 19:54:06 -0800 (PST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from m3.gw.fujitsu.co.jp by fgwmail2.fujitsu.co.jp (8.9.3/3.7W-MX9910-Fujitsu Gateway) id MAA28010; Tue, 9 Nov 1999 12:54:02 +0900 (JST) Received: from chisato.nd.net.fujitsu.co.jp by m3.gw.fujitsu.co.jp (8.9.3/3.7W-9910-Fujitsu Domain Master) id MAA11458; Tue, 9 Nov 1999 12:54:01 +0900 (JST) Received: from localhost (dhcp7186.nd.net.fujitsu.co.jp [10.18.7.186]) by chisato.nd.net.fujitsu.co.jp (8.8.5+2.7Wbeta5/3.3W8chisato-970826) with ESMTP id MAA22597; Tue, 9 Nov 1999 12:54:00 +0900 (JST) To: freebsd-hackers@freebsd.org, freebsd-security@FreeBSD.ORG Subject: Should jail treat ip-number? X-Mailer: Mew version 1.94 on Emacs 20.4 / Mule 4.0 (HANANOEN) X-Prom-Mew: Prom-Mew 1.93.4 (procmail reader for Mew) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <19991109125445E.shin@nd.net.fujitsu.co.jp> Date: Tue, 09 Nov 1999 12:54:45 +0900 From: Yoshinobu Inoue X-Dispatcher: imput version 990905(IM130) Lines: 30 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello, I have some concern about jail, and would like to discuss them. Currentlly jail set an ip-number and let prisoned processes only to bind it. My concerns are, (1)When IPv6 is added to the system, more general id would be desirable. (2)What is the goal of the restriction? If physical level access protection is wanted, then specifing interface name is more general and certain way of achieving it. (Because when that ip-number is replaced to another network interface, then the restriction also will move on it) If some virtual network level protection is wanted, then specifying ip-number is suitable, but I think more general id should be used such as a pointer to a sockaddr. I think kernel change will not so much for any above addition or changes, but there will be some backword compatibility issue for API. (some member addition to the jail structure, and jail command extensions) Yoshinobu Inoue To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message