I'm polishing up the "JAIL" code I wrote and readying it for -current.
This code provides an optional strenthening of the chroot() jail
as we know it, and will provide safe sandboxes for most practical
uses.
The biggest impact of this is a new argument to the suser() call
all over the kernel:
suser(NOJAIL, bla, bla);
or
suser(0, bla, bla);
The NOJAIL option means that a jailed root fails the test.
I will add this extra arg to suser() in the first commit.
Each Jail can optionally be assigned one IP number, which they
have access to. All connections to and from that jail will
use that IP#.
If there is interest, this code will be merged to 3.1 as well.
This work was sponsored by: www.servetheweb.com
--
Poul-Henning Kamp FreeBSD coreteam member
p...@freebsd.org "Real hackers run -current on their laptop."
FreeBSD -- It will take a long time before progress goes too far!
To Unsubscribe: send mail to majord...@freebsd.org
with "unsubscribe freebsd-current" in the body of the message
