User Details
- User Since
- Aug 19 2014, 3:56 PM (334 w, 2 d)
Tue, Jan 12
Sun, Jan 10
Sat, Jan 9
Mon, Jan 4
Sun, Jan 3
Nov 18 2020
What was motivation for this? Do you have any use case for that?
me_igalic.co I will created for this separated review.
Nov 13 2020
Changes after markj@ and jamie@ review.
Nov 12 2020
Nov 9 2020
Gotcha, thank you I will refactor the code.
@kevans Thank you for the review. :) I fixed the typo.
@emaste Sorry, fixed.
@jamie
If I understand correctly - the allow.* and the suser has a reverted values. You can disable suser, which by default is enabled. I wanted to made it exactly the same as sysctl on the hosts system, but I don't have strong opinion here.
I'm not sure if I understand. Do you suggest to have allow.suser which allow you to change the suser sysctl?
There should be no possibility to get back the suser priviliged inside the jail.
In the scenario I tested you can give/retrieve the suser from the host.
Nov 8 2020
Nov 7 2020
Nov 6 2020
Nov 4 2020
I created ZFS pull request: https://github.com/openzfs/zfs/pull/11152
Nov 3 2020
Oct 26 2020
I would prefer to commit this version. Sorry for me not responding for a while.
The whole limit infrastructure is missing for capnet,
I think I prefer the cap_netdb for those purpose.
If I recall it we had a few ideas what to add to netdb.
Oct 19 2020
From my understanding, doing work in the user interface functions is the same as doing work in user program, as they are the same process. It won't be allowed if program is in cap mode.
Thats right, cap_exec_init, cap_exec_open, cap_exec_close are done potentialy in the sandboxed process.
I was mistaken we need service like this, we just need to work a little bit more on it.
Ou but I guess you wan't your new process not being in sandbox, right?
Please don't take this an a criticisms I just would like to know the advantages of this approach.
I wonder we can't just use fileargs and fexecve?
Sep 28 2020
Sep 6 2020
Aug 18 2020
Aug 16 2020
Aug 3 2020
Jul 27 2020
Jul 20 2020
Jul 10 2020
Jul 5 2020
Update after emaste, markj and bcr review.
Jun 9 2020
Oh sorry @emaste I some how didn't get the emails from your comments. I will address them ASAP.
Jun 1 2020
May 21 2020
May 20 2020
Typo pointed by @kevans. Thanks!
May 19 2020
May 11 2020
Thank you @bcr and @greg_unrelenting.technology
Man pages fixes.
May 5 2020
May 4 2020
Apr 11 2020
Apr 8 2020
Apr 7 2020
Mar 12 2020
Mar 11 2020
If you want I can commit this for you.
Feb 19 2020
Some more notes.
Feb 7 2020
Oh sorry I miss read the patch.
Then this looks good to me :)
This doesn't break multiple encrypted disks?
If I have 3 disk and only one should be decrypted by the loader?
Feb 5 2020
Jan 20 2020
Jan 6 2020
Like Matt suggested I checked the behavior on Linux as well.
Jan 3 2020
Thank you for working on this!
This doesn't seems like simple peace of code.