On 5 Feb 2014, at 19:05, John Baldwin <j...@freebsd.org> wrote:

> A short term solution that would permit non-security jails without having to 
> do the longer term work that Robert would like might be to add a new per-jail 
> flag that in effect means "no security at all".  You would then modify one 
> place (prison_priv_check() in kern_jail.c) to treat a jail with this flag set 
> as if it wasn't jailed at all.  This would clearly communicate to a user what 
> they were doing by enabling this flag (jail --root-me-please), and it would 
> also avoid future proliferation of new flags to add more optional and obscure 
> holes in jails.

One path to this goal would be to better differentiate the idea of a 'jail' 
from a more generic notion of a 'container'. I'm a bit loath to use the latter 
term due to conflicts with the Linux convention which uses 'container' to refer 
to something more like our 'jail', but in many ways it would be useful. You 
could imagine having two variations on the jail(8) command: today's jail(8) 
with security properties, and a new container(8) from the same man page, but 
with only virtualisation, not security properties.

In general, there are two objections being raised here, which I think you 
capture well: (1) an architectural concern about appropriate implementation and 
its implications, and (2) appropriate presentation/documentation for the user 
to prevent the significant surprise they will get when they turn on an option 
without understanding its implications.

Robert
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to