Kyle, Thanks for sharing your ideas and work to date (via https://reviews.freebsd.org/D53953).
Hiding jails from jls is an interesting idea, akin to hiding processes via mac_seeotheruids policy controls. Nice, though note: px -o jid I suspect that the use case that you have in mind is to generally prevent non-root from acting upon the jails' processes, and prevent root from manipulating the jail after certain conditions are met? aka sticky jails :) My use-case is that the base system has no non-root access and starts all jails and the processes within. All jails have securelevel=3 where I run normal server apps, in separate jails: sendmail, samba as AD & as standalone, squid, apache, etc. These processes may be (are) restarted from outside the jail for updates or if they don't respond to HUP as expected (config reload); so for me interaction is likely. Perhaps the elephant in the room, filesystem access, could be mitigated via a mac_label that propagates from the prison to the filesystem that limits access via label'ed values. aka mix of mac_partition and mac_extended where the mount point (either nullfs, unionfs or device) receives the labelled value and access to files without that value is blocked, this implies that the label is propagated to processes within the jail. The label could be set within jail.conf. The limitation is that devices might need to be mounted multi-label (unless dedicated, hence single label). This would assist with the management of classified information (ako the old restricted, confidential, secret etc) Apologies if this is beyond scope, but this absence of unifying/dedicating processes to files seems to be a weak-point; given that most of MAC_* deals with processes. Kind regards, Dewayne. PS The mechanism of labelling files to match the jail need more thought, though pre-labelling files seems most convenient? NFS is harder.
