On 2017-10-21 18:45, Steven Hartland wrote: > Personally I hate that idea as like being able to see all the processes > from the host. > > I have a similar hate of Linux containers where you have to jump though > hoops just to see whats really happening on the host. > > On Sat, 21 Oct 2017 at 20:29, Allan Jude <allanj...@freebsd.org > <mailto:allanj...@freebsd.org>> wrote: > > On 2017-05-23 12:59, Steve Wills wrote: > > Author: swills (ports committer) > > Date: Tue May 23 16:59:24 2017 > > New Revision: 318751 > > URL: https://svnweb.freebsd.org/changeset/base/318751 > > > > Log: > > Add security.bsd.see_jail_proc > > > > Add security.bsd.see_jail_proc sysctl to hide jail processes > from non-root > > users > > > > Reviewed by: jamie > > Approved by: allanjude > > Relnotes: yes > > Differential Revision: https://reviews.freebsd.org/D10770 > > > I user was asking about this issue on IRC today. > > I think I have changed my mind a bit. > > I think we should make the default be off (so you can't see processes in > a jail from the host) by default in 12. > > And that we should MFC this sysctl to stable/11, but not change the > default behaviour there. > > Anyone else have thoughts? > > -- > Allan Jude >
Note: this does NOT change root's ability to see the processes in the jail. I just stops uid 1001 on the host, from using the processes owned by uid 1001 in each jail, even in the presence of: security.bsd.see_other_uids=0 -- Allan Jude
signature.asc
Description: OpenPGP digital signature