RFC: Jail privsets
Bjoern A. Zeeb
bz at FreeBSD.org
Sun Nov 29 15:41:40 UTC 2020
On 29 Nov 2020, at 15:33, Kyle Evans wrote:
> Sure- I'm not so sure about vnet, but all of the allow flags could get
> deprecated in favor of describing the privs available somewhere and
> letting admin make decisions. I think the vnet set still makes a lot
> of sense unless you're also proposing that we could just create new
> vnets if one of those privileges is turned on -- in which case, we'd
> still have to manage the set, but it wouldn't be used much beyond a
> hint mask that we need to create a vnet.
What I am thinking of is a /etc/defaults/devfs.rules a-like set of privs
describing base, jail, jailvnet and then pick appropriately if the jail
gets created with vnet (though I can imagine some people extending a
default jail set — e.g. for raw sockets — or removing some privs
from a
vnet jail set).
The tricky bit would be to manage the header file and the text
description,
but having a default wildcard of “*” or “all” for base would
probably catch
the most cases.
/bz
More information about the trustedbsd-discuss
mailing list