On Mon, 2006-Apr-03 08:19:00 -0400, Daniel Eischen wrote: >I don't really see what the problem is. ESRCH seems perfectly >reasonable for trying to kill (even sig 0) a process from a >different jail. If you're in a jail, then you shouldn't have >knowledge of processes from other jails.
I agree in general. The problem here is that SysV IPC isn't jail-aware - there's a single SysV IPC address space across the physical system. This confuses (eg) postgres because it can see the SHM for a postgres instance in another jail but kill(2) claims that the process associated with that SHM doesn't exist. There appear to be two solutions: 1) Add a sysctl to change cr_cansignal() and/or prison_check() to make processes visible between jails. 2) Change SysV IPC to be jail-aware. The former is trivial - but has a number of security implications. The latter is much harder, there is apparently a RELENG_4 patch in kern/48471 but it's not clear how much work would be necessary to being it up to scratch. -- Peter Jeremy _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
