Reliable process tracking
John Baldwin
jhb at freebsd.org
Fri Aug 9 15:02:05 UTC 2013
On Thursday, August 08, 2013 11:05:43 pm Julian Elischer wrote:
> On 8/9/13 11:01 AM, Don Lewis wrote:
> > On 9 Aug, Julian Elischer wrote:
> >
> >> I've been pondering the possibility of appending a universe (jail)
> >> number to the
> >> UIDS, PIDS and various other things. (classes maybe?).
> >>
> >> It wouldn't have to be everywhere, but ther eare a number of places
> >> where comparisons would
> >> DTRT if they were comparing "my_jail+my_uid" with "his_jail+his_uid",
> >> instead of just the UIDs.
> >> It would also help with the "multiple roots" problem, and might
> >> simplify some of the current code.
> > If that's all you want, then why not just compare
> > proc1->p_fd->fd_jdir to proc2->p_fd->fd_jdir
> > for the jail check?
> >
> >
> >
> because multiple jails can have the same root directory?
However, td1->td_ucred->cr_prison == td2->td_ucred->cr_prison would work.
OTOH, there are folks looking at considering how to make other types of
security tokens work that is needed for better integration with other
systems (think remote Windows AD logins or remote Kerberos realms). If
you want to pursue this path you should likely talk to Robert Watson,
Justin Gibbs, and other folks that they suggest. I think their route
is probably a better model for uids/gids. I do think it might make sense
to have per-jail namespaces for other things like pids, login classes,
etc.
--
John Baldwin
More information about the freebsd-arch
mailing list