Re: Jailed sysvipc implementation.
From: Max Khon (fjoe_at_iclub.nsu.ru)
Date: 06/26/03
- Previous message: Julian Elischer: "Re: Jailed sysvipc implementation."
- In reply to: Pawel Jakub Dawidek: "Re: Jailed sysvipc implementation."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 Jun 2003 06:24:41 +0700 To: Pawel Jakub Dawidek <nick@garage.freebsd.pl>
hi, there!
On Wed, Jun 25, 2003 at 07:52:25PM +0200, Pawel Jakub Dawidek wrote:
> +> We have some initial patches that wrap the user ipcperm structure in a
> +> kernel-specific structure, which we use to add a MAC label. It would be
> +> easy to also add a prison pointer. We probably won't get to merging this
> +> patch for a couple of weeks, but it's worth keeping in mind.
> +>
> +> http://www.watson.org/~robert/freebsd/mac_sysvipc.diff
> +>
> +> This needs style cleanup, bug fixing, testing, etc, but it's the direction
> +> we're pushing in for MAC right now.
>
> Hmm, I'm not sure if I understand patch well, but with this stuff we will
> be able to run for example two postgresql servers in diffrent jails?
no
> Or it only will provide denying specified requests?
yes. the goal is to use existing MAC framework to deny access to
foreign (from other jail) sysvipc objects.
/fjoe
_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"
- Previous message: Julian Elischer: "Re: Jailed sysvipc implementation."
- In reply to: Pawel Jakub Dawidek: "Re: Jailed sysvipc implementation."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
