Re: Jail seperation patch

Wed, 26 Feb 2003 00:04:54 -0800 

On Tue, Feb 25, 2003 at 02:47:11PM -0800, Mooneer Salem wrote:
+> I've been working on extending the jail feature of FreeBSD to make it
+> more friendly to VPS providers. I added the following features:
+> 
+> * Rudimentary CPU/RAM/number of processes per-jail limits
+> * Multiple IP support (from Pawel Jakub Dawidek's mijail patch for 4.7)
+>   * Proper INADDR_ANY support added (so INADDR_ANY will bind to all IP
+> addresses
+>     within a jail)

And what when we got situation like:

1.
        main host ips: 1.1.1.2, 1.1.1.3, 1.1.1.4
        jailed host ips: 1.1.1.2, 1.1.1.3

        Daemon in jail binds to INADDR_ANY to port X, somebody connects
        to port X, but to IP 1.1.1.4 (outside jail). Connection will success?
2.
        main host ips: 1.1.1.2, 1.1.1.3, 1.1.1.4
        jailed host ips: 1.1.1.2, 1.1.1.3

        Daemon outside jail binds to port X on IP 1.1.1.4.
        User in jail connects to port X to INADDR_ANY.
        Connection will success?

What when daemon idside jail and daemon outside jail binds to those
same port? If I'm connectin to this port who will handle connection?


+> * struct prison added to SysV IPC code (to allow for secure use)

Better solution is created separated memory zones for main host and every
jail, look at my patch agains 5.0-CURRENT:

        http://garage.freebsd.pl/privipc.tbz 
        http://garage.freebsd.pl/privipc.README

+> * Disk mount hiding

Better way is IMHO hiding and cutting pathnames, look at:

        http://garage.freebsd.pl/jailfsstat.tgz
        http://garage.freebsd.pl/jailfsstat.README

+> * Hot add/remove IP addresses from jail using sysctl
+> * Process hiding (non-root users outside jails cannot see jailed processes)

This isn't a complete solution and I think it couldn't be, because you
still could modify files owned by jailed users with UID notjailed user, so...

+> The patch is for 5.0-CURRENT/5.0-RELEASE. I would be interested in
+> any comments or suggestions. If anyone's interested, it can be retrieved
+> at http://msalem.translator.cx/dist/jail_seperation.v5.patch.

You could add multi-level jailing, IMHO it's cool:

        http://garage.freebsd.pl/mljail.tbz
        http://garage.freebsd.pl/mljail.README

Nice work, I'm wondering if something will be ever commited:)

-- 
Pawel Jakub Dawidek
UNIX Systems Administrator
http://garage.freebsd.pl
Am I Evil? Yes, I Am.

Attachment: pgp00000.pgp
Description: PGP signature

Reply via email to