Re: changing kernsecurelevel

From: Robert Watson (
Date: 01/07/01

Date: Sun, 7 Jan 2001 12:07:57 -0500 (EST)
From: Robert Watson <>
To: Evan S <>

On Sun, 7 Jan 2001, Evan S wrote:

> Mm, Openroot runs on -CURRENT, and users are able to apply those flags
> to files. But, I made a little patch, and it seems to work. They're not
> able to do it anymore.

Aha. They can add, but not remove, right? That probably should be
changed -- feel free to e-mail me a patch and I'll apply as appropriate.

> Other than that I'm happy with the way Jail works. The above was the
> only problem I had.

Great. Contributions in this space are always welcome :-).

There is a patch in the PR database, btw, that deals with another problem
with jail() that you might potentially run into: resource limits are
currently global in scope, and not per-jail(). This has positive and
negative aspects, and the patch doesn't address all of the problems that
need to be addressed, I believe. Really, we'd like to have per-jail
resource limits, and then within that scope per-uid-per-jail limits.
However, the current resource mechanism is not structured to support this.
I believe the patch addresses the per-uid-per-jail aspect, but does not
allow the host administrator to specify per-jail limits to bound the
resources allocated to a particular jail. With the gradual cleanup of
credentials and resources limit structures, as well as a possible eventual
move of the jail pointer into ucred or pcred, this problem will probably
be more easily addressed.

Robert N M Watson FreeBSD Core Team, TrustedBSD Project NAI Labs, Safeport Network Services

To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: [patch, BK] clean up and unify asm-*/resource.h files
    ... New patch below. ... Alpha rlimits are still the same as required by the ABI. ...
  • [patch, BK] clean up and unify asm-*/resource.h files
    ... a more compact and isolated one that allows architectures to define only ... would have to patch 4 other resource.h ... MIPS and Alpha rlimits are still the same as required by the ABI. ...
  • getgpid & getsid work from within a jail
    ... jail when looking at kern_prot.c. ... I've submitted a test program and a patch via send-pr. ... bash: kill: - Operation not permitted ... ktrace: ktrace.out: Operation not permitted ...
  • Re: NFS mount inside jail fails
    ... |> | Are you using my patch ... Without jail with vimage then it works okay. ... |> I don't seem to have panics. ... | You do not allow access to the dri device, so I do not expect a panic. ...
  • Multiple IPs in Jail
    ... a couple lines in jls which didn't patch due to cosmetic changes (easily ... the jail environment had no problem with dns. ... and h_errno is set to 2 - Host name lookup failure. ...