Re: Jail support for mac_portacl(4).

From: Robert Watson (rwatson_at_FreeBSD.org)
Date: 05/29/05

  • Next message: Samy Al Bahra: "Re: Jail support for mac_portacl(4)." 
    Date: Sun, 29 May 2005 15:02:37 +0100 (BST)
To: Pawel Jakub Dawidek <pjd@FreeBSD.org>

    On Tue, 24 May 2005, Pawel Jakub Dawidek wrote:

    > This patch gives another option, so one don't need to use firewall for
    > this purpose. It adds new idtype - 'jid'. With this patch, one can
    > configure that jail with the given JID can use only defined ports:
    >
    > # sysctl security.mac.portacl.rules="jid:1:tcp:80"
    >
    > Patch is here:
    >
    > http://people.freebsd.org/~pjd/patches/mac_portacl.c.patch
    >
    > Any objections?

    This sounds fine to me, especially since it doesn't break forwards
    compatibility from older mac_portacl rule sets.

    However, I've CC'd Samy Al Bahra, who has a set of outstanding mac_portacl
    patches that are similar, and might have some comments on your proposed
    changes. My primary concern with his changes was that they changed the
    syntax in a way that broke backwards compatibility to older defined rules;
    on the other hand, his version of the changes allowed further scoping of
    things like "user id 80 in jail 20 can bind port 80", whereas the above
    supports a single layer of scoping.

    Robert N M Watson
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Samy Al Bahra: "Re: Jail support for mac_portacl(4)."