Stopping dead jails from rising again

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Stopping dead jails from rising again

James Gritton-2
I've got some changes to the jail system, to undo a mistake I made
years ago: allowing a dead jail to be brought back to life via
jail_set(...JAIL_DYING).  The main point of this is to re-create jails
with hard-coded JIDs (which themselves were a mistake) without waiting
for the old jails to let go of all their resources.

Currently, adding such a jail brings the old one back (uf there is an
old one), meaning that you're not sure if the "new" jail will start
with default values, or with whatever its previous incarnation had.
Among other things, there have been rumblings of associated security
problems with that (though any specifics have been cleaned up).

Since I still need to handle the hard-coded JIDs, the new strategy is
to silently renumber the old dying jail, so the new jail can have the
ID it expect while still being brand-new.  This is imperfect, but I
think it's a good deal better than the current alternative.

If anyone cares to look into this this for some constructive
criticism (or I suppose for any criticism):

https://reviews.freebsd.org/D27876
https://reviews.freebsd.org/D28150

- Jamie
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"