User Details
- User Since
- Jun 27 2021, 7:29 PM (176 w, 6 d)
Aug 14 2024
Address style feedback.
Aug 13 2024
Using this /etc/jail.conf:
.include "/usr/local/etc/jail[.]conf"; .include "/etc/jail.d/*.conf"; .include "/usr/local/etc/jail.d/*.conf";
Feb 7 2024
Feb 2 2024
The __specialfd() system call is good to know about, but on its own doesn't provide a way to atomically create a configured jail with its lifetime tied to the file descriptor unlike passing a negative integer as "desc" argument to jail_set. There would either be a window where the jail would exist without a file descriptor associated with it which would reintroduce races and resource leak or the file descriptor has to start out unattached to a jail and be passed to the jail_set(JAIL_CREATE) call. The later design choice would get rid of the awkwardness of (ab-)using negative file descriptor numbers to request a file descriptor via an in-out parameter.
Feb 1 2024
Jan 15 2024
Dec 29 2023
Nov 6 2023
Is there enough space in the message to help users by giving them a reference to the new interface to express the same configuration and what form of reference would work well for this?
Oct 26 2023
Good catch.
Sep 7 2023
Aug 23 2023
The interface name restriction function is a judgment call restricting users from creating problematic (for shell scripts) interface names. Applying the same restrictions to existing services like netif and routing could break (partly) working configurations.
Aug 18 2023
Aug 4 2023
Jun 13 2023
Jun 12 2023
The jail_name variable must be initialised to NULL. This should be done through an explicit char * jail_name = NULL; in line 101 of route.c.
Jun 2 2023
It reads to me like initialising jail_name to NULL and replacing if (usejail) with if (jail_name != NULL) would make the usejail variable superfluous. Splitting a pointer and its validity into two variables like this (jail_name and usejail) introduces the potential for contradiction if only one of the two is updated. If this split is required for something I would like to see them stored together in a struct { char *, bool } instead of destructured into two variables.
Jun 1 2023
Just a small nitpick: I would prefer a macro #define MAX_INCLUDE_DEPTH 32 or constant static const unsigned int max_include_depth = 32; somewhere above the include_config() in config.c instead of the literal to improve readability.
May 10 2023
The jail(8) man page needs to be updated to reflect the new -F flag.
May 8 2023
What is gained by having PID 1 acquire sub-reaper status given that it's the reaper? What are the expected semantics for proctl(PROC_REAP_ACQUIRE) in PID 1? Would it be enough to wrap the procctl(…) call with if ( getpid() != 1 ) { … } or is there more to this?
Mar 31 2023
This change has been blamed to cause kernel panics on the FreeBSD current mailing list: https://lists.freebsd.org/archives/freebsd-current/2023-March/003381.html. It's been reported that reverting commit 0b56641cfcda30d06243223f37781ccc18455bef allows starting jails without triggering the observed kernel panic.