kern/55163: [patch] hide kld system details from jails
Dmitry Morozovsky
marck at rinet.ru
Tue Aug 5 07:30:15 PDT 2003
The following reply was made to PR kern/55163; it has been noted by GNATS.
From: Dmitry Morozovsky <marck at rinet.ru>
To: Yar Tikhiy <yar at FreeBSD.org>
Cc: FreeBSD-gnats-submit at FreeBSD.org
Subject: Re: kern/55163: [patch] hide kld system details from jails
Date: Tue, 5 Aug 2003 18:22:53 +0400 (MSD)
On Tue, 5 Aug 2003, Yar Tikhiy wrote:
YT> > Well, security thru obscurity is not the best technique ;-)
YT> > However, it seems that reveal too much info about host system for jail user,
YT> > or even for jail admin, is not always the best. We plan to use it together with
YT> > Pawel Jakub Dawidek's jailfsstat kernel module.
YT> >
YT> > This code path is rare, so no performance problem I think. Any objections?
YT>
YT> The only objection I can see is that a generalized framework for
YT> restricting system interfaces within a jail should be developed
YT> instead of sticking in "if (foo_allowed)" everywhere.
In general I do agree; however, as far as I can see, in 5.x this functionality
*is* being developed in general way via MAC, which has no chances to be
back-ported; secondly, due to limited lifetime frame of 4.x branch, the
process of general development would not be successful => I suppose band-aid
with if(xxx_allowed) would be appropriate to achieve desired functionality.
Well, as there are objections, I suppose the discussion should be moved to
-stable@ ?
Sincerely,
D.Marck [DM5020, MCK-RIPE, DM3-RIPN]
------------------------------------------------------------------------
*** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck at rinet.ru ***
------------------------------------------------------------------------
More information about the freebsd-bugs
mailing list