In message <[EMAIL PROTECTED]>, Alexander Bezroutchko writes:
>* ping, traceroute doesn't work due to lack of permissionis to create icmp socket.
> I think it is simple to make workaround for such problems:
> create a daemon listening on a unix domain socket for request from a jail.
> Daemon will take request and the pid of requesting process, validate it,
> process and return answer to client.
That would work.
>* only one IP address is available in jail
> It is acceptable limitation, but some daemons would like to use localhost
> address (127.0.0.1).
127.0.0.1 is mapped to the jail address. telnet localhost does what
you'd expect it to.
>* whole kernel MIB is readable, and kern.hostname is writable from jail
> I think we should restrict information about system available from jail --
> leave readable only data required for proper work of libc
> functions like gethostname,getpagesize,sysconf, etc.
kern.hostname only writes the name for that jail.
> If we leave kern.hostname writable from jail, we should
> add new field to `struct jail', say `jailname'.
It's called "p_prison->pr_host" and it was there from day #1.
> And
> /proc/<PID>/status must show this value.
It already does.
>* scheduling
> Scheduler must provide equal time quantum to each jail. I think
> something like "fair share scheduler" required. Is there any plans
> to implement such scheme in FreeBSD ?
Not from me.
>* resource limits
> Current resource limit scheme does not provide enough isolation of jails.
no plans.
>* it is possible to escape from jail
> Following program escapes from jail (tested under 4.0-19990918-CURRENT):
You're right, I've overlooked that one. Will fix.
>Does anybody already encountered and solved problems described above
>or have an ideas ?
No, this is the first one I've heard about.
--
Poul-Henning Kamp FreeBSD coreteam member
[EMAIL PROTECTED] "Real hackers run -current on their laptop."
FreeBSD -- It will take a long time before progress goes too far!
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message