Re: [patch 2/3] lsm: add bsdjail module

From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: 10/12/04

  • Next message: Harald Dunkel: "USB Problem (was: 2.6.9-rc4: Aiee on amd64)" 
    Date:	Tue, 12 Oct 2004 09:00:55 +0200
To: Alan Cox <alan@lxorguk.ukuu.org.uk>

    On Mon, Oct 11, 2004 at 02:47:29PM +0100, Alan Cox wrote:
    > On Sul, 2004-10-10 at 11:41, Christoph Hellwig wrote:
    > > Your filesystem handling code is completely superflous (and buggy). Please
    > > remove all the code dealing with chroot-lookalikes. In your userland script
    > > you simpl have to clone(.., CLONE_NEWNS) to detach your namespace from your
    > > parent, then you can lazly unmount all filesystems and setup your new namespace
    > > before starting the jail. The added advantage is that you don't need any
    > > cludges to keep the user from exiting the chroot.
    >
    > AF_UNIX socket and fchdir().
    >
    > That however requires a co-operator outside the chroot so doesn't seem
    > to be a problem. I like the CLONE approach, its a lot cleaner.

    and it works well, because we use it for almost
    a year now on linux-vserver ;)

    best,
    Herbert

    > -
    > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    > the body of a message to majordomo@vger.kernel.org
    > More majordomo info at http://vger.kernel.org/majordomo-info.html
    > Please read the FAQ at http://www.tux.org/lkml/
    -
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  • Next message: Harald Dunkel: "USB Problem (was: 2.6.9-rc4: Aiee on amd64)"

    Relevant Pages

    • Re: [PATCH 12/18] shared mount handling: bind and rbind
      ... I'd say that _usually_ you're better off using chroot() than mounting over ... It's a "flaw" in chroot if you consider it a jail, ... send the line "unsubscribe linux-kernel" in ...
      (Linux-Kernel)
    • Re: [PATCH] private mounts
      ... The check is to prevent processes in chroot jails from accessing ... directories outside their jail. ... process from traversing into a "child" namespace. ... send the line "unsubscribe linux-kernel" in ...
      (Linux-Kernel)
    • Re: [patch 2/3] lsm: add bsdjail module
      ... then you can lazly unmount all filesystems and setup your new namespace ... >> before starting the jail. ... send the line "unsubscribe linux-kernel" in ...
      (Linux-Kernel)
    • Re: [PATCH] private mounts
      ... > chroot jails to not be able to see processes outside the jail in /proc ... > - only processes inside the jail should be visible. ... Creating a new namespace would also have the same effect (only ... send the line "unsubscribe linux-kernel" in ...
      (Linux-Kernel)
    • Re: [PATCH] private mounts
      ... >> the namespace of NNN? ... > I've been thinking about this a bit more...would you even need chroot? ... The login process can do it before it changes uid to the user, ... send the line "unsubscribe linux-kernel" in ...
      (Linux-Kernel)