jails clean startup

Andreas Kohn andreas.kohn at gmail.com
Sun Mar 19 16:28:35 PST 2006


On Mon, Mar 20, 2006 at 12:29:47AM +0100, Andreas Kohn wrote:
> [*] The man page of kill doesn't mention "0" as a way to check if a
> process is jailed, and neither jail(2) nor jail(8) talk about it.
To be fair, the man pages of FreeBSD's jail(8) utility or jail(2) also
do not mention the security.jail.jailed sysctl. [*]

I do however consider it way more obvious to check an explicit sysctl,
or try to find one by looking at the related controls, than using kill,
ps, or trying to bind a socket to or whatever.

On Mon, 2006-03-20 at 00:51 +0100, joerg at xxxxxxxxxxxxxxxxx wrote:
> "0" is a valid signal and the standard check to see if a process exists.
> Which process is known to run in the base system and can't exist in a
> jail therefore?

On Mon, 2006-03-20 at 01:14 +0100, Simon 'corecode' Schubert wrote:
> you'll get a ESRCH if you're in a jail, i guess.  or a EPERM?  

I guess. My argument was not that there are no other methods, but that a
sysctl is more obvious than those methods. Compare the commit message
when the sysctl was added to FreeBSD:

date: 2004/02/19 14:29:14;  author: pjd;  state: Exp;  lines: +13 -0
Added sysctl security.jail.jailed.
It returns 1 is process is inside of jail and 0 if it is not.
_Information if we are in jail or not is not a secret, there is plenty
of ways to discover it. Many people are using own hack to check this_
and this will be a legal way from now on. 


[*] Which of course can be changed, thanks for the idea :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgp00004.pgp
Type: application/octet-stream
Size: 187 bytes
Desc: "Description: This is a digitally signed message part"
URL: <http://lists.dragonflybsd.org/pipermail/submit/attachments/20060319/eaa8cb5f/attachment-0019.obj>

More information about the Submit mailing list