Re: Re: Debian BSD.. cool idea

To: Raul Miller <moth@debian.org>
Cc: debian-bsd@lists.debian.org
Subject: Re: Re: Debian BSD.. cool idea
From: "Nathan Hawkins" <utsl@quic.net>
Date: Tue, 01 Feb 2000 17:53:36 GMT
Message-id: <[🔎] 20000201175336.12107.qmail@quic.net>
In-reply-to: <[🔎] 20000201121954.B20029@usatoday.com>
References: <20000130163842.A17744@industrial-strength.net> <20000130182644.A86571@bugg.htfdw1.ct.home.com> <20000130222734.A2660@usatoday.com> <20000131161637.B89048@bugg.htfdw1.ct.home.com> <20000131194922.E11595@usatoday.com> <20000131195604.B89495@bugg.htfdw1.ct.home.com> <20000131221621.H11595@usatoday.com> <20000131214615.A30996@industrial-strength.net> <20000131231010.A6453@usatoday.com> <[🔎] 20000201002255.A32317@industrial-strength.net> <[🔎] 20000201121954.B20029@usatoday.com>

Raul Miller writes:

> On Tue, Feb 01, 2000 at 12:22:55AM -0600, Dan Potter wrote:
> > >] apropos jail
> > jail(2) - Imprison current process and future decendants
> >
> > This is different, it's a FreeBSD 4.0 kernel-based thing. It's much more
> > powerful than chroot but similar. It's chroot plus it restricts root's
> > capabilities and makes only processes in the same jail and one IP address
> > accessable. I'm guessing this is for building virtual machines under a
> > main machine, which is what we're doing where I work...
> 
> Hmm... chroot plus constrain ip, plus per-process syslevel.
> 
> I don't know how to tackle the ip addr lock down.  I'm sending email to
> someone who does -- hopefully he'll tell me.
> 
> Most of the work has already been done to constrain root under linux.
> You'd need to change the definition of cap_set_full (a #define in
> <linus/capability.h>), to use a mask which is kept in ->current, and
> you'd need to add a syscall to reduce the set of priviledges in the
> mask.  If you could confirm that the capabilities in <linux/capability.h>
> are relevant to the needs of jail, I could go ahead and write up a
> patch that implements this feature.

Now if I could put resource constrainsts on processes, too, that would be
really useful.  It _would_ be extremely cool if someone made the
capabilities stuff in Linux and FreeBSD work the same way. Especially since
there's no standard that applies to this yet.

> > > > Things like 'ps' and 'top' use BSD-specific methods since the POSIX
> > > > committee in all their wisdom decided against specifying a way to
> > > > introspect the system. So you'd need these too.
> > > 
> > > It's not so pleasant if independent versions of such things have to be
> > > resupplied for every kernel.  Do they?
> > 
> > Unfortunately, yes. That's the kernel dependencies I was talking about
> > working around (and that the other Dan was talking about).
> 
> Ok, so for BSD there would have to be a kernel release specific set of
> such binaries.  This should still be quite a bit smaller than everything
> that's in /usr/bin/ on a BSD system.
> 
> Might be worth having a release-specific directory which could underly
> the debian /usr/bin/ -- this would allow reboots across kernel releases
> without having to worry about package installs.

Or you could just update init (shouldn't cause any problems), and have the
first script it runs update some symlinks...   Basically, we're forced into
installing some binaries with a kernel release. There's way around that
right now. But there are several ways to handle updating them.

Does FreeBSD have an equivalent to initrd?  We could hack together a script
to match versions and update symlinks at boot. Then you could boot between
multiple kernel versions. :)

Reply to:

References:
- Re: Re: Debian BSD.. cool idea
  - From: Dan Potter <shun@mail.utexas.edu>
- Re: Re: Debian BSD.. cool idea
  - From: Raul Miller <moth@debian.org>

Prev by Date: Re: Re: Debian BSD.. cool idea
Next by Date: Re: Debian BSD.. cool idea
Previous by thread: Re: Re: Debian BSD.. cool idea
Next by thread: Re: Debian BSD.. cool idea
Index(es):
- Date
- Thread