Re: Call for a hacker.... security.bsd.see_other_uids in jails only

From: Pawel Jakub Dawidek (pjd_at_FreeBSD.org)
Date: 05/21/04

  • Next message: Alex Lyashkov: "Re: Call for a hacker.... security.bsd.see_other_uids in jails only" 
    Date: Fri, 21 May 2004 11:41:19 +0200
To: Ruslan Ermilov <ru@freebsd.org>

    On Fri, May 21, 2004 at 12:02:17PM +0300, Ruslan Ermilov wrote:
    +> I like the idea of per-jail sysctl MIB trees, e.g.:
    +>
    +> jail.<JID>.security.bsd
    +>
    +> When jail gets created, the generic sysctl code would traverse
    +> the primary sysctl tree (excluding the jail. subtree), and copy
    +> and attach those that have some jail-related flag to the
    +> jail.<JID>. branch.
    +>
    +> Inside the jail, jail.<JID>.security.bsd branch would map to
    +> just security.bsd.
    +>
    +> The generic sysctl code, when it detects it's run within a
    +> jail, will find a sysctl node "foo.bar", and if it has a
    +> jail-clone flag set, will remap a query to jail.<JID>.foo.bar.
    +>
    +> Whether it's allowed to change a particular sysctl inside
    +> a jail is another matter.

    There are two main issues with our current sysctls implementation:
    1. We cannot hide sysctls/sysctl-trees.
    2. We're operating in most cases on integers.

    We can work on 1, but we can't hack 2 easly, we have to transform
    sysctls, that have to be treated on per-jail basics from SYSCTL_INT
    to SYSCTL_PROC and if so, I'm not sure what for do we need
    security.jail.<JID> trees then. We can implement them in the same
    way security.jail.jailed is impelemented (it shows different value
    outside a jail and different inside) and if we want to change it:

            # jexec <JID> /sbin/sysctl <some_sysctl>=<some_value>

    Of course, there could be no /sbin/sysctl utility inside a jail,
    but I'll still suggest to add '-j' option to sysctl command to
    work just like 'killall -j' (i.e. jail_attach(<JID>); sysctl();). 

    -- 
Pawel Jakub Dawidek                       http://www.FreeBSD.org
pjd@FreeBSD.org                           http://garage.freebsd.pl
FreeBSD committer                         Am I Evil? Yes, I Am!

  • Next message: Alex Lyashkov: "Re: Call for a hacker.... security.bsd.see_other_uids in jails only"

    Relevant Pages

    • Re: Call for a hacker.... security.bsd.see_other_uids in jails only
      ... I like the idea of per-jail sysctl MIB trees, ... When jail gets created, the generic sysctl code would traverse ... the primary sysctl tree (excluding the jail. ... FreeBSD committer ...
      (freebsd-current)
    • Identd in jail.
      ... I've found that getcredsysctl isn't permitted from within jail on 4.x. ... My patched ident gets result of getcredsysctl from jauthd daemon via ... Jauthd daemon can be extend to verify data recived from jailed process, ...
      (FreeBSD-Security)
    • Re: jail manipulation of routing table
      ... > perhaps another sysctl altogether would be better). ... folk might know why it's a bad idea to deny jail routing sockets. ... "Processes in jail are limited to creating UNIX/IPv4/route sockets ...
      (freebsd-questions)
    • Re: [git pull] VFS patches, the first series
      ... sysctl tables are access have changed significantly. ... the utterly insane amount of walking and re-walking the trees, ... I had described that scheme to you quite a few months ago in sysfs ... Neither of those two cases requires multiple dentry trees and the ...
      (Linux-Kernel)
    • Re: [git pull] VFS patches, the first series
      ... sysctl tables are access have changed significantly. ... the utterly insane amount of walking and re-walking the trees, ... it might or might not be feasible depending on ... I had described that scheme to you quite a few months ago in sysfs ...
      (Linux-Kernel)