[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-hackers
Subject: Re: jail && (ping && traceroute)
From: Pawel Jakub Dawidek <nick () garage ! freebsd ! pl>
Date: 2003-05-31 7:44:08
[Download RAW message or body]
On Fri, May 30, 2003 at 05:35:42PM +0300, Alexandr Kovalenko wrote:
+> I have 2 questions:
+>
+> - where in code should I search for icmp socket binding prohibition in
+> jail?;
+> - what bad consequences will appear if I remove those checks and
+> prohibition?.
This is nasty to allow all jailed process to open RAW sockets.
You can use CerbNG to allow only selected jailed process to open RAW socket.
General policy is here:
http://cerber.sourceforge.net/policies/jailed-icmp.cb
but you can easly rewrite it to allow only selected process for this.
Project's page is here:
http://cerber.sourceforge.net
And rest of policies:
http://cerber.sourceforge.net/policies/
CerbNG works only on 4-STABLE systems for now and there will be soon
1.0-RC2 version, but I've started porting it to -CURRENT.
--
Pawel Jakub Dawidek pawel@dawidek.net
UNIX Systems Programmer/Administrator http://garage.freebsd.pl
Am I Evil? Yes, I Am! http://cerber.sourceforge.net
[Attachment #3 (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic