Allowing tmpfs to be mounted in jail?
Sam Fourman Jr.
sfourman at gmail.com
Thu Aug 22 23:20:23 UTC 2013
Xin Li,
>
> I can envision the use of tmpfs without providing access to mounting other
> devices within a jail context.
>
> It would be better if this feature had its own sysctl to control the
> jail's state, particularly as a DOS could "inadvertently" be
> introduced, per Kib's earlier point. Other devices-types have additional
> mitigation strategies, such as exclusion via dev.rules
> which tmpfs doesn't have.
>
> Regards, Dewayne.
>
>
Xin,
This is a Great feature and it has several use cases, what about the
possibility of a sysctl that adds a max amount
that a jail could set a tmpfs... this would be per jail, now in theory you
could over commit resources, but that would
be a administrators decision, and not one jail could consume all resources.
--
Sam Fourman Jr.
More information about the freebsd-security
mailing list