[Bug 211580] deny system message buffer access from jails

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211580

--- Comment #14 from Jamie Gritton <jamie at FreeBSD.org> ---
(In reply to Joe Barbish from comment #13)

You can't just wholesale take away sysctl - there are too many things that use
the sysctl interface to have a reasonably functional system when you're
through.  For example: you take away your hostname, your processes.  There are
individual bits of the MIB that jails shouldn't see, but they're not really the
majority and can be handled on a case-by-case basis.

And in particular, there's no point in taking away security.jail.jailed.  It's
a boolean in whether you're in a jail, which has such a wide variety of
discoverability that you might as well just put it plain in front of your face.
 And if you took it away, it would still work, just with ENOENT meaning that
you're in a jail.

A jail isn't a virtual machine; it was never an attempt to fool the jailed user
into thinking that they're not jailed.  If you care to look, you will know that
you're jailed.  You will also know a few different particulars about what your
jail can't do, so you can avoid bothering to even try something that doesn't
work for your situation.

-- 
You are receiving this mail because:
You are the assignee for the bug.