|
|
|
|
|
|
by e12e
3231 days ago
|
|
|
Mostly that afaik a jail with sysvipc set isn't really isolated any more - it works, but defeats some of the purpose of using a jail in the first place? https://forums.freebsd.org/threads/59371/ Apparently this can(should?) be tweaked a bit since 11-release: https://www.freebsd.org/cgi/man.cgi?query=jail&sektion=&n=1 > allow.sysvipc A process within the jail has access to System V IPC primitives. This is deprecated in favor of the per-mod- ule parameters (see below). When this parameter is set, it is equivalent to setting sysvmsg, sysvsem, and sysvshm all to ``inherit''. I interpret that as it still being the case that setting this to the (equivalent of) the deprecated setting, one looses much of the protection a jail normally gives. |
|
|