Date: Thu, 26 Jun 2003 06:24:41 +0700 From: Max Khon <fjoe@iclub.nsu.ru> To: Pawel Jakub Dawidek <nick@garage.freebsd.pl> Cc: freebsd-arch@freebsd.org Subject: Re: Jailed sysvipc implementation. Message-ID: <20030625232441.GC92939@iclub.nsu.ru> In-Reply-To: <20030625175225.GS7587@garage.freebsd.pl> References: <20030624164602.GW7587@garage.freebsd.pl> <Pine.NEB.3.96L.1030625132446.57143A-100000@fledge.watson.org> <20030625175225.GS7587@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
hi, there! On Wed, Jun 25, 2003 at 07:52:25PM +0200, Pawel Jakub Dawidek wrote: > +> We have some initial patches that wrap the user ipcperm structure in a > +> kernel-specific structure, which we use to add a MAC label. It would be > +> easy to also add a prison pointer. We probably won't get to merging this > +> patch for a couple of weeks, but it's worth keeping in mind. > +> > +> http://www.watson.org/~robert/freebsd/mac_sysvipc.diff > +> > +> This needs style cleanup, bug fixing, testing, etc, but it's the direction > +> we're pushing in for MAC right now. > > Hmm, I'm not sure if I understand patch well, but with this stuff we will > be able to run for example two postgresql servers in diffrent jails? no > Or it only will provide denying specified requests? yes. the goal is to use existing MAC framework to deny access to foreign (from other jail) sysvipc objects. /fjoe
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030625232441.GC92939>