User Details
- User Since
- Aug 3 2014, 10:29 PM (531 w, 1 d)
Sat, Oct 5
I suppose this will make more sense once there's at least one MAC policy that has an associated jail parameter. Currently, it seems to suggest (being a jailsys parameter) that there's some sort of valid "new" or "deleted" state for MAC inside the jail.
Tue, Sep 24
Thu, Sep 19
Aug 16 2024
Aug 12 2024
Aug 5 2024
This comes from discussion in Bug 277210.
Jun 28 2024
Jun 24 2024
Jun 21 2024
Jun 19 2024
Jun 10 2024
Is there any value in a virtual time, i.e. letting a jail have its own clock? Apart from a test framework, I can't think of any, but maybe someone else can. That was actually my first thought when I saw the title of this, rather than encapsulating ntpd.
May 16 2024
Diff updated for libsys and other recent changes.
Mar 17 2024
Feb 23 2024
Yes, this is a better way.
Feb 21 2024
I'll admit very little familiarity with the testing framework. If there's a standard to show a test as skipped that doesn't indicate a problem, that sounds best. But if it just claims that it's passed, it would seem better to just not run it. Though both is probably a good idea: still have it pass (like if the test was built at another time), but don't build it on a jail-less system.
Feb 11 2024
Feb 5 2024
Here's the latest diff to address concerns so far (except those that request proper documentation).
Feb 4 2024
Sure, looks helpful for just such a situation.
Feb 2 2024
Feb 1 2024
Jan 26 2024
Jan 25 2024
Looks good to me!
c) Or something else what I have not spotted yet :)
c) Jamie wasn't thinking and of course you don't need it for read-only.
Jan 23 2024
You'll want to add CTLFLAG_PRISON to the sysctl flags.
Jan 21 2024
Jan 17 2024
I'm not sure why this limit exists in the first place (it predates me). I suppose it's just for neatness' sake, with the idea no one would have more jails than that anyway. But as long as it's around, it might as well be known.
Jan 5 2024
That's fine if there's a use for it, such as to quiet errors.
Dec 21 2023
Nov 30 2023
Nov 21 2023
Nov 20 2023
The command parameters (including "command" itself) are well established as being run during jail setup and teardown. I would expect a lot of existing configuration to have problems with the command being run when the jail has already started up. While it makes sense on the command line, I don't want to break the connection between file configuration and command line configuration (more than it's already broken).
Nov 18 2023
Oct 12 2023
Oct 11 2023
Nothing new, though I just updated the diff against the latest sources.
Oct 2 2023
Sep 28 2023
Sep 25 2023
Sep 24 2023
Sep 14 2023
Sep 9 2023
Sep 7 2023
Sep 5 2023
Sep 4 2023
Aug 31 2023
Aug 28 2023
Aug 26 2023
Aug 10 2023
The important part of this clearly good.
Jun 29 2023
Looks good to me. But then the original that did the direct cr_uid check looked apparently good to me too, so take it for what it's worth.
Jun 7 2023
Commited in eb5bfdd06565. I forgot to add the review to the commit message :-/
Jun 4 2023
I've committed the "jails can include jails" and "use the recursive parser" bits separately. This new diff is just the part that handles the includes.
Jun 1 2023
May 31 2023
Simple include-loop prevention with via a maximum depth counter.
May 26 2023
Rather than add a separate value different from the kern.fallback_elf_brand sysctl, it would make sense for the jail parameter to be tied to the sysctl itself, such as the securelevel parameter is. It's complicated somewhat by the fact that there are three similar sysctls.
May 25 2023
May 23 2023
True, they're not handled. I took my include inspiration from newsyslog (which has includes that also support globbing), and there it's also just a simple matter or running whatever it's told to include. It's kind of a footgun situation, where it's generally good enough to trust the administrator not to make such a loop. I did it for depend loops, but only because that's kind of elemental in building an acyclic directed graph.
May 21 2023
New and improved diff :-)
I just created D40188, which is my take on solving this issue. It goes the include-file direction, and doesn't require and changes to rc.conf, since jail.conf is where such changes are made. The jail(8) command line also remains untouched.
May 5 2023
Mar 12 2023
s/novnetjail/nojailvnet/
Feb 21 2023
Feb 20 2023
This makes perfect sense to me. The original version only set redo_ip[46] provisionally , and I missed that the patch changed that.