Jailed sysvipc implementation.
Max Khon
fjoe at iclub.nsu.ru
Wed Jun 25 16:26:00 PDT 2003
hi, there!
On Wed, Jun 25, 2003 at 07:52:25PM +0200, Pawel Jakub Dawidek wrote:
> +> We have some initial patches that wrap the user ipcperm structure in a
> +> kernel-specific structure, which we use to add a MAC label. It would be
> +> easy to also add a prison pointer. We probably won't get to merging this
> +> patch for a couple of weeks, but it's worth keeping in mind.
> +>
> +> http://www.watson.org/~robert/freebsd/mac_sysvipc.diff
> +>
> +> This needs style cleanup, bug fixing, testing, etc, but it's the direction
> +> we're pushing in for MAC right now.
>
> Hmm, I'm not sure if I understand patch well, but with this stuff we will
> be able to run for example two postgresql servers in diffrent jails?
no
> Or it only will provide denying specified requests?
yes. the goal is to use existing MAC framework to deny access to
foreign (from other jail) sysvipc objects.
/fjoe
More information about the freebsd-arch
mailing list