Date: Tue, 25 Feb 2003 14:47:11 -0800 From: "Mooneer Salem" <mooneer@translator.cx> To: "FreeBSD Hackers" <freebsd-hackers@freebsd.org> Subject: Jail seperation patch Message-ID: <FHEMJMOKKMJDGKFOHHEPMEJOFCAA.mooneer@translator.cx>
next in thread | raw e-mail | index | archive | help
Hello,
I've been working on extending the jail feature of FreeBSD to make it
more friendly to VPS providers. I added the following features:
* Rudimentary CPU/RAM/number of processes per-jail limits
* Multiple IP support (from Pawel Jakub Dawidek's mijail patch for 4.7)
* Proper INADDR_ANY support added (so INADDR_ANY will bind to all IP
addresses
within a jail)
* struct prison added to SysV IPC code (to allow for secure use)
* Disk mount hiding
* Hot add/remove IP addresses from jail using sysctl
* Process hiding (non-root users outside jails cannot see jailed processes)
The patch is for 5.0-CURRENT/5.0-RELEASE. I would be interested in
any comments or suggestions. If anyone's interested, it can be retrieved
at http://msalem.translator.cx/dist/jail_seperation.v5.patch.
Example of new sysctl entries:
%sysctl -a | grep jail
jail.jails.test_lifeafterking_org.max_ram: 0
jail.jails.test_lifeafterking_org.max_cpu: 0
jail.jails.test_lifeafterking_org.max_procs: 0
jail.jails.test_lifeafterking_org.procs_used: 10
jail.jails.test_lifeafterking_org.ram_used: 5971968
jail.jails.test_lifeafterking_org.cpu_used: 0
jail.jails.test_lifeafterking_org.ipv4addr: 10.0.0.3,10.0.0.4
security.jail.set_hostname_allowed: 1
security.jail.socket_unixiproute_only: 1
security.jail.sysvipc_allowed: 0
security.jail.quotas_allowed: 0
security.jail.hide_processes: 0
%
Thanks,
--
Mooneer Salem
GPLTrans: http://www.translator.cx/
lifeafterking.org: http://www.lifeafterking.org/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FHEMJMOKKMJDGKFOHHEPMEJOFCAA.mooneer>