new feature: private IPC for every jail
Koen Martens
fbsd at metro.cx
Tue Apr 4 11:00:21 UTC 2006
Robert Watson wrote:
>
> Hmm. This sounds like it might be workable. To make sure I understand
> your proposal:
>
> - We add a new prison ID field to the in-kernel description of each
> segment,
> semaphore, message queue, etc. This is initialized to the prison ID
> of the
> process creating the object at the time of creation.
>
> - shmget(), et al, will, in addition to matching the key when searching
> for an
> existing object, will also attempt to match the prison ID of the
> object to
> the process. For the sake of completeness, we will use prison ID 0 for
> unjailed processes (or something along those lines). This guarantees
> that
> two jails, or even the host and a jail, will never receive an ID already
> allocated to another jail, and in particular, not an ID for an object
> from
> another jail with the same key as might be used in the current jail.
>
> - shmat(), et al, will perform an access control check to confirm that if a
> process is jailed, its prison ID matches that of the object.
>
> Is it necessary, as you suggest, to change the IPC ID name space at
> all? I assume applications do consistently use shmget() to look up IDs,
> and that they can't/don't make assumptions about long-term persistence
> of those mappings across boot (which is effectively what a jail restart
> is? Is the behavior of IPXSEQ_TO_IPCID() something that has documented
> or relied on properties, or are we free to perform a mapping from a name
> (key) to an object (id) in any way we choose?
>
> I guess another change is also needed:
>
> - At jail termination, we GC all resources with the prison ID in question.
>
> This prevents a future jail from turning up with the same ID and seeing
> old shared memory (etc) segments.
FWIW, I already implemented this once for 5.x a while back, but
abandoned the project due to lack of time back then. If no-one else
is going to pick this up, i might try and dig up that code again,
and port it to 6.x, since this feature is still quite high on my
wish list..
Best,
Koen
--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, hosting, embedded systems, unix, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/
More information about the freebsd-current
mailing list