From owner-freebsd-current Wed Jan 27 02:48:49 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA26833 for freebsd-current-outgoing; Wed, 27 Jan 1999 02:48:49 -0800 (PST) (envelope-from owner-freebsd-current@FreeBSD.ORG) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA26828 for ; Wed, 27 Jan 1999 02:48:47 -0800 (PST) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.1/8.8.5) with ESMTP id LAA29765 for ; Wed, 27 Jan 1999 11:48:18 +0100 (CET) To: current@FreeBSD.ORG Subject: "JAIL" code headed for -current. From: Poul-Henning Kamp Date: Wed, 27 Jan 1999 11:48:16 +0100 Message-ID: <29763.917434096@critter.freebsd.dk> Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I'm polishing up the "JAIL" code I wrote and readying it for -current. This code provides an optional strenthening of the chroot() jail as we know it, and will provide safe sandboxes for most practical uses. The biggest impact of this is a new argument to the suser() call all over the kernel: suser(NOJAIL, bla, bla); or suser(0, bla, bla); The NOJAIL option means that a jailed root fails the test. I will add this extra arg to suser() in the first commit. Each Jail can optionally be assigned one IP number, which they have access to. All connections to and from that jail will use that IP#. If there is interest, this code will be merged to 3.1 as well. This work was sponsored by: www.servetheweb.com -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message