Jailed sysvipc implementation.
rwatson at freebsd.org
Wed Jun 25 10:26:51 PDT 2003
On Tue, 24 Jun 2003, Pawel Jakub Dawidek wrote:
> Some time ago I've implemented private memory zones for IPC mechism.
> Every jail and main host got its own memory for IPC operations.
> It was implemented for FreeBSD 4.x. Avaliable at:
> I want to port this to FreeBSD 5.x, but with many improvements. Because
> of that there are few things to talk about and I'm curious if anyone
> will be interested in answering my questions and at the end commiting
> this to -CURRENT.
> Patch will not be a "fast hack" so the best way will be commiting this
> in parts. I got already working sysvipv_msg mechanism.
> So if anyone is interested in, please inform me and I'll ask my
> questions and I'll send also what I got now.
We have some initial patches that wrap the user ipcperm structure in a
kernel-specific structure, which we use to add a MAC label. It would be
easy to also add a prison pointer. We probably won't get to merging this
patch for a couple of weeks, but it's worth keeping in mind.
This needs style cleanup, bug fixing, testing, etc, but it's the direction
we're pushing in for MAC right now.
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org Network Associates Laboratories
More information about the freebsd-arch