[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ezjail] Limiting SysV-IPC to certain jails



Philipp, 

Thank-you for bringing this shortcoming to my attention.  You've saved a
lot of debugging effort.

A very old version of FreeBSD, running multiple jails and sysvipc which was
started from sysctl variables, caused me to carry assumptions into FreeBSD
9, so I must apologise to the list for an ineffective solution.

As the ezjail package already touches /etc (for the jails' fstab), I don't
see a significant problem with installing an /etc/rc.d/ezjail that does the
"right" thing, from an ezjail perspective.

I spent a couple of hours trying to coax the system to achieve the
endpoint, ie setting various attributes before /etc/rc.d/local in a jail.
In the end, I set 
jail_sysvipc_allow="YES" in the host's /etc/rc.conf

And using my earlier patch turned off what wasn't needed, via 
export jail_JAILNAME_parameters="allow.sysvipc=0 allow.raw_sockets=0"

Achieves the goal, but isn't elegant; and for a brief moment jails aren't
as secure as I'd like; forcing a return to mac_ifoff.

Regards, Dewayne.