Jail support for mac_portacl(4).
Samy Al Bahra
samy at kerneled.org
Sun May 29 07:21:09 PDT 2005
On Sun, 2005-05-29 at 15:02 +0100, Robert Watson wrote:
> On Tue, 24 May 2005, Pawel Jakub Dawidek wrote:
>
> > This patch gives another option, so one don't need to use firewall for
> > this purpose. It adds new idtype - 'jid'. With this patch, one can
> > configure that jail with the given JID can use only defined ports:
> >
> > # sysctl security.mac.portacl.rules="jid:1:tcp:80"
> >
> > Patch is here:
> >
> > http://people.freebsd.org/~pjd/patches/mac_portacl.c.patch
> >
> > Any objections?
>
> This sounds fine to me, especially since it doesn't break forwards
> compatibility from older mac_portacl rule sets.
>
> However, I've CC'd Samy Al Bahra, who has a set of outstanding mac_portacl
> patches that are similar, and might have some comments on your proposed
> changes. My primary concern with his changes was that they changed the
> syntax in a way that broke backwards compatibility to older defined rules;
That was fixed.
I think pjd@'s syntax changes are not that flexible (and well, as
useful). Please take a look at
http://samy.kerneled.org/patches/portacl.patch
Support for an "add" and "none" keyword was added as well (except for
the uid/gid field). This is copy I sent to Robert a couple of months
ago. If pjd@ wishes, he can modify this patch to his style and apply the
"all" keyword to the uid/gid identifier in order to bind all processes
in a jail to a rule (if he wishes).
Thanks.
--
Samy Al Bahra
|------- http://samy.kerneled.org
|------- http://www.FreeBSD.org
'------- http://www.arabeyes.org
More information about the freebsd-security
mailing list