[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-jail
Subject:    Re: fdescfs patch for working hierarchical jails
From:       James Gritton <jamie () gritton ! org>
Date:       2014-09-27 16:18:32
Message-ID: 5426E358.9070005 () gritton ! org
[Download RAW message or body]

On 9/27/2014 6:06 AM, Ruben van Staveren wrote:
> Hi James, others,
> 
> On 26 Sep 2014, at 21:28, James Gritton <jamie@gritton.org> wrote:
> 
> > On 9/25/2014 3:40 AM, Ruben van Staveren wrote:
> > > Hi,
> > > 
> > > Could a committer have a look at \
> > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192951 ? 
> > > This enables fdescfs in hierarchical jails, would be nice to have this for 10.1
> > > 
> > > Thanks!
> > > 
> > > Best Regards,
> > > Ruben van Staveren
> > This would have to go into current first, and then MFC.  Considering
> > 10.1 is getting close to release, I suspect it wouldn't be allowed in.
> I agree, probably better to do it that way indeed.
> 
> > Also, I'm not sure I'd want to implement this in quite the proposed
> > way: it might suffice (from a security viewpoint) to use the existing
> > allow.mount.devfs for mounting fdescfs.
> Wouldn’t that be misleading? It would be better to mop up the various pseudofses \
> under the monicker allow.mount.pseudofs.

My thinking is that fdescfs is practically the same as what devfs
already offers - just more descriptors in /dev/fd than the basic
three.  I can't see why allowing one wouldn't be akin to allowing the
other.  In fact, I fail to understand why it was made a separate
filesystem in the first place.  Perhaps someone on the sec team will
tell me otherwise when I ask (which I ought to do before forging
ahead).

- Jamie
_______________________________________________
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"


[prev in list] [next in list] [prev in thread] [next in thread]