[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [ezjail] Limiting SysV-IPC to certain jails
Thank-you for bringing this shortcoming to my attention. You've saved a
lot of debugging effort.
A very old version of FreeBSD, running multiple jails and sysvipc which was
started from sysctl variables, caused me to carry assumptions into FreeBSD
9, so I must apologise to the list for an ineffective solution.
As the ezjail package already touches /etc (for the jails' fstab), I don't
see a significant problem with installing an /etc/rc.d/ezjail that does the
"right" thing, from an ezjail perspective.
I spent a couple of hours trying to coax the system to achieve the
endpoint, ie setting various attributes before /etc/rc.d/local in a jail.
In the end, I set
jail_sysvipc_allow="YES" in the host's /etc/rc.conf
And using my earlier patch turned off what wasn't needed, via
export jail_JAILNAME_parameters="allow.sysvipc=0 allow.raw_sockets=0"
Achieves the goal, but isn't elegant; and for a brief moment jails aren't
as secure as I'd like; forcing a return to mac_ifoff.