Re: [PATCH] sys_chroot() hook for additional chroot() jails enforcing

From: Serge E. Hallyn
Date: Mon Feb 07 2005 - 17:58:15 EST

Next message: Andrew Morton: "Re:move-accounting-function-calls-out-of-critical-vm-code-paths.patch"
Previous message: Trond Myklebust: "Re: Irix NFS server usual problem"
In reply to: Chris Wright: "Re: [PATCH] sys_chroot() hook for additional chroot() jails enforcing"
Next in thread: Lorenzo Hernández García-Hierro: "Re: [PATCH] sys_chroot() hook for additional chroot() jailsenforcing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

If I understood you correct earlier, the only policy you needed to
enforce was to prevent double-chrooting. If that is the case, why is it
not sufficient to keep a "process-has-used-chroot" flag in
current->security which is set on the first call to
capable(CAP_SYS_CHROOT) and inherited by forked children, after which
calls to capable(CAP_SYS_CHROOT) are refused?

Of course if you need to do more, then a hook might be necessary.

-serge

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrew Morton: "Re:move-accounting-function-calls-out-of-critical-vm-code-paths.patch"
Previous message: Trond Myklebust: "Re: Irix NFS server usual problem"
In reply to: Chris Wright: "Re: [PATCH] sys_chroot() hook for additional chroot() jails enforcing"
Next in thread: Lorenzo Hernández García-Hierro: "Re: [PATCH] sys_chroot() hook for additional chroot() jailsenforcing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]