|
|
|
|
|
|
by Avernar
3232 days ago
|
|
|
I'm running postgresql in a FreeBSD vnet jail without issue. The network stack is not shared as it's a vnet jail. I have it set for per jail sysvipc, new in FreeBSD 11, which was the last thing I needed to fully isolate it from other jails. Is there anything else that's needed to properly restrict the jail? |
|
|
https://forums.freebsd.org/threads/59371/
Apparently this can(should?) be tweaked a bit since 11-release:
https://www.freebsd.org/cgi/man.cgi?query=jail&sektion=&n=1
> allow.sysvipc A process within the jail has access to System V IPC primitives. This is deprecated in favor of the per-mod- ule parameters (see below). When this parameter is set, it is equivalent to setting sysvmsg, sysvsem, and sysvshm all to ``inherit''.
I interpret that as it still being the case that setting this to the (equivalent of) the deprecated setting, one looses much of the protection a jail normally gives.