Re: [PATCH] BSD Jail LSM (2/3)

From: Alan Cox
Date: Fri Sep 10 2004 - 15:35:26 EST

Next message: Maciej W. Rozycki: "Re: [patch 17/25] drivers/tc/zs.c MIN/MAX removal"
Previous message: Lars Marowsky-Bree: "Re: [Linux-cluster] New virtual synchrony API for the kernel: was Re: [Openais] New API in openais"
In reply to: Serge Hallyn: "Re: [PATCH] BSD Jail LSM (2/3)"
Next in thread: Serge E. Hallyn: "Re: [PATCH] BSD Jail LSM (2/3)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Gwe, 2004-09-10 at 21:23, Serge Hallyn wrote:
> Attached is a patch against the security Kconfig and Makefile to support
> bsdjail, as well as the bsdjail.c file itself. bsdjail offers
> functionality similar to (but more limited than) the vserver patch.

Looking over the code the first question I would ask is that it supports
AF_INET but not AF_INET6. That seems a bit limited in todays internet
environment.

> A process in a jail lives under a chroot which is not vulnerable to the
> well-known chdir(...)(etc)chroot(.) attack against normal chroots, and
> may be locked to one ip address. For additional features, please see
> Documentation/bsdjail.txt, which is included in the next patch.

You can break out with someone co-operating from outside the jail but
that I guess is pretty harmless anyway.

Alan
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Maciej W. Rozycki: "Re: [patch 17/25] drivers/tc/zs.c MIN/MAX removal"
Previous message: Lars Marowsky-Bree: "Re: [Linux-cluster] New virtual synchrony API for the kernel: was Re: [Openais] New API in openais"
In reply to: Serge Hallyn: "Re: [PATCH] BSD Jail LSM (2/3)"
Next in thread: Serge E. Hallyn: "Re: [PATCH] BSD Jail LSM (2/3)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]