[patch] separate SysV IPC namespace for jail
kikuchan
kikuchan at uranus.dti.ne.jp
Fri Jun 5 22:24:37 UTC 2015
Hello,
I want to run multiple instances of PostgreSQL with jail.
Changing UID is not suitable for my case,
so I created a simple patch for stable/10 to separate SysV IPC
namespace for each jail.
In contrast to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=48471 ,
this patch comes with;
- All objects are visible by ipcs(1) whether in jails or not.
- Trying to access the objects beyond the jail will be rejected with EACCES.
- Treat (key_t, prison) pair as the key for a named object.
- Very simple implementation; I just added to check
msqkptr->cred->cr_prison == td->td_ucred->cr_prison, for example.
Is this approach suitable for FreeBSD kernel?
If you find it is useful, or bugs, please let me know.
P.S.
There is no way to know from userland which jails own the objects, so far.
Regards,
kikuchan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jailed-sysvipc-for-stable10.patch
Type: text/x-patch
Size: 21776 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20150606/7736309b/attachment.bin>
More information about the freebsd-jail
mailing list