| From: | Andreas Kohn <andreas.kohn@xxxxxxxxx> |
| Date: | Mon, 20 Mar 2006 01:28:17 +0100 |
Moin,
On Mon, Mar 20, 2006 at 12:29:47AM +0100, Andreas Kohn wrote:
> [*] The man page of kill doesn't mention "0" as a way to check if a
> process is jailed, and neither jail(2) nor jail(8) talk about it.
To be fair, the man pages of FreeBSD's jail(8) utility or jail(2) also
do not mention the security.jail.jailed sysctl. [*]
I do however consider it way more obvious to check an explicit sysctl,
or try to find one by looking at the related controls, than using kill,
ps, or trying to bind a socket to 0.0.0.0 or whatever.
On Mon, 2006-03-20 at 00:51 +0100, joerg@xxxxxxxxxxxxxxxxx wrote:
> "0" is a valid signal and the standard check to see if a process exists.
> Which process is known to run in the base system and can't exist in a
> jail therefore?
On Mon, 2006-03-20 at 01:14 +0100, Simon 'corecode' Schubert wrote:
> you'll get a ESRCH if you're in a jail, i guess. or a EPERM?
I guess. My argument was not that there are no other methods, but that a
sysctl is more obvious than those methods. Compare the commit message
when the sysctl was added to FreeBSD:
----
date: 2004/02/19 14:29:14; author: pjd; state: Exp; lines: +13 -0
Added sysctl security.jail.jailed.
It returns 1 is process is inside of jail and 0 if it is not.
_Information if we are in jail or not is not a secret, there is plenty
of ways to discover it. Many people are using own hack to check this_
and this will be a legal way from now on.
----
Regards,
Andreas
[*] Which of course can be changed, thanks for the idea :)
http://www.freebsd.org/cgi/query-pr.cgi?pr=94711
Attachment:
signature.asc
Description: This is a digitally signed message part