fdescfs patch for working hierarchical jails

James Gritton jamie at gritton.org
Sat Sep 27 16:18:41 UTC 2014


On 9/27/2014 6:06 AM, Ruben van Staveren wrote:
> Hi James, others,
>
> On 26 Sep 2014, at 21:28, James Gritton <jamie at gritton.org> wrote:
>
>> On 9/25/2014 3:40 AM, Ruben van Staveren wrote:
>>> Hi,
>>>
>>> Could a committer have a look at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192951 ?
>>>
>>> This enables fdescfs in hierarchical jails, would be nice to have this for 10.1
>>>
>>> Thanks!
>>>
>>> Best Regards,
>>>      Ruben van Staveren
>> This would have to go into current first, and then MFC.  Considering
>> 10.1 is getting close to release, I suspect it wouldn't be allowed in.
> I agree, probably better to do it that way indeed.
>
>> Also, I'm not sure I'd want to implement this in quite the proposed
>> way: it might suffice (from a security viewpoint) to use the existing
>> allow.mount.devfs for mounting fdescfs.
> Wouldn’t that be misleading? It would be better to mop up the various pseudofses under the monicker allow.mount.pseudofs.

My thinking is that fdescfs is practically the same as what devfs
already offers - just more descriptors in /dev/fd than the basic
three.  I can't see why allowing one wouldn't be akin to allowing the
other.  In fact, I fail to understand why it was made a separate
filesystem in the first place.  Perhaps someone on the sec team will
tell me otherwise when I ask (which I ought to do before forging
ahead).

- Jamie


More information about the freebsd-stable mailing list