UNIX domain sockets on nullfs still broken?
Ivan Voras
ivoras at freebsd.org
Mon Nov 30 15:14:59 UTC 2009
xorquewasp at googlemail.com wrote:
> On 2009-11-30 15:43:01, Ivan Voras wrote:
>> xorquewasp at googlemail.com wrote:
>>> 76030 initial thread STRU struct sockaddr { AF_LOCAL, /tmp/jack-11001/default/jack_0 }
>>> 76030 initial thread NAMI "/tmp/jack-11001/default/jack_0"
>>> 76030 initial thread RET connect -1 errno 61 Connection refused
>> I would expect to see this result from the jail since it's obviously a
>> Bad Idea, but does it work from the same (host) machine without the jail
>> in between (i.e. just the nullfs, no jails)?
>
> Hm, yes, you're right. It does work without a jail involved.
>
> What's the sane solution, then, when the only method of communication
> is unix domain sockets?
It is a security problem. I think the long-term solution would be to add
a sysctl analogous to security.jail.param.securelevel to handle this.
I don't think there is a workaround right now.
More information about the freebsd-hackers
mailing list