svn commit: r261266 - in head: sys/dev/drm sys/kern sys/sys usr.sbin/jail

[Robert N. M. Watson]

On 5 Feb 2014, at 19:05, John Baldwin <jhb at FreeBSD.org> wrote:

> A short term solution that would permit non-security jails without having to 
> do the longer term work that Robert would like might be to add a new per-jail 
> flag that in effect means "no security at all".  You would then modify one 
> place (prison_priv_check() in kern_jail.c) to treat a jail with this flag set 
> as if it wasn't jailed at all.  This would clearly communicate to a user what 
> they were doing by enabling this flag (jail --root-me-please), and it would 
> also avoid future proliferation of new flags to add more optional and obscure 
> holes in jails.

One path to this goal would be to better differentiate the idea of a 'jail' from a more generic notion of a 'container'. I'm a bit loath to use the latter term due to conflicts with the Linux convention which uses 'container' to refer to something more like our 'jail', but in many ways it would be useful. You could imagine having two variations on the jail(8) command: today's jail(8) with security properties, and a new container(8) from the same man page, but with only virtualisation, not security properties.

In general, there are two objections being raised here, which I think you capture well: (1) an architectural concern about appropriate implementation and its implications, and (2) appropriate presentation/documentation for the user to prevent the significant surprise they will get when they turn on an option without understanding its implications.

Robert