Xin Li, > > I can envision the use of tmpfs without providing access to mounting other > devices within a jail context. > > It would be better if this feature had its own sysctl to control the > jail's state, particularly as a DOS could "inadvertently" be > introduced, per Kib's earlier point. Other devices-types have additional > mitigation strategies, such as exclusion via dev.rules > which tmpfs doesn't have. > > Regards, Dewayne. > > Xin,
This is a Great feature and it has several use cases, what about the possibility of a sysctl that adds a max amount that a jail could set a tmpfs... this would be per jail, now in theory you could over commit resources, but that would be a administrators decision, and not one jail could consume all resources. -- Sam Fourman Jr. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
