svn commit: r318751 - in head/sys: kern sys
Allan Jude
allanjude at freebsd.org
Sat Oct 21 22:55:40 UTC 2017
On 2017-10-21 18:45, Steven Hartland wrote:
> Personally I hate that idea as like being able to see all the processes
> from the host.
>
> I have a similar hate of Linux containers where you have to jump though
> hoops just to see whats really happening on the host.
>
> On Sat, 21 Oct 2017 at 20:29, Allan Jude <allanjude at freebsd.org
> <mailto:allanjude at freebsd.org>> wrote:
>
> On 2017-05-23 12:59, Steve Wills wrote:
> > Author: swills (ports committer)
> > Date: Tue May 23 16:59:24 2017
> > New Revision: 318751
> > URL: https://svnweb.freebsd.org/changeset/base/318751
> >
> > Log:
> > Add security.bsd.see_jail_proc
> >
> > Add security.bsd.see_jail_proc sysctl to hide jail processes
> from non-root
> > users
> >
> > Reviewed by: jamie
> > Approved by: allanjude
> > Relnotes: yes
> > Differential Revision: https://reviews.freebsd.org/D10770
> >
> I user was asking about this issue on IRC today.
>
> I think I have changed my mind a bit.
>
> I think we should make the default be off (so you can't see processes in
> a jail from the host) by default in 12.
>
> And that we should MFC this sysctl to stable/11, but not change the
> default behaviour there.
>
> Anyone else have thoughts?
>
> --
> Allan Jude
>
Note: this does NOT change root's ability to see the processes in the jail.
I just stops uid 1001 on the host, from using the processes owned by uid
1001 in each jail, even in the presence of: security.bsd.see_other_uids=0
--
Allan Jude
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-src-all/attachments/20171021/98c57cfe/attachment.sig>
More information about the svn-src-all
mailing list