Jail + sysv shmem

Koen Martens fbsd at metro.cx
Sat Nov 27 12:43:12 PST 2004

On Fri, Nov 26, 2004 at 10:58:43PM +0100, Jilles Tjoelker wrote:
> You will have trouble if two jails want to use the same IPC key (key_t,
> usually a long). This can also happen in rare cases when running
> multiple programs (unjailed) that all try to use separate SysV IPC.

Hmm.. Yes..

> In the jail case, this can be abused by attackers by (easily) guessing
> the key that an application in another jail will use and using it in
> their own jail. The attacker will have to do this before the application
> is started, or at almost any time if the application does not run all
> the time.

But, when access to the shared resource is denied on the basis of the
jail identifier, at least cross-jail attacks are not allowed anymore.

> Additionally, certain methods to generate IPC keys may give the same
> result in several jails. A common method to generate them is ftok(3).
> This uses the lower 8 bits of the st_dev and the lower 16 bits of the
> inode number. Therefore, you will get in trouble with hundreds of
> similar jails with their own mount.

Quite right, this is actually a documented bug of the ftok method. And
having multiple jails makes this a problem. However, when a IPC segment
identifier is always a tuple of jail-id + user key, no clashes should
exist, only within the same jail (and this is unavoidable).

> To avoid these problems, every jail and the outside system would need
> their own IPC key space. This is harder to implement and makes access
> from the outside system to jailed IPC impossible. Alas, that's how
> AT&T's engineers designed SysV IPC decades ago.

Why would one want access from the outside system to the jailed system?
Is this something that is used frequently? Me personally, i want to keep
everything as seperated as possible. Obviously, the host system can
always access the jail file systems, but I do want to prevent the host
system to have IPC xx to the jails. 

My main motivation btw is to be able to run postgres in a jail, which
can only be done by enabling shared mem inside jails, which is not
really an option i think. Alternatively, one can run the postgres server
in the host system, but that is not a good solution either.

I'll just start hacking soon, and see where it leads me :)


K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

More information about the freebsd-hackers mailing list