Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Sun, 3 Nov 2002 09:45:00 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Sun, 3 Nov 2002 09:45:00 -0500 Received: from leibniz.math.psu.edu ([146.186.130.2]:9658 "EHLO math.psu.edu") by vger.kernel.org with ESMTP id ; Sun, 3 Nov 2002 09:44:59 -0500 Date: Sun, 3 Nov 2002 09:51:30 -0500 (EST) From: Alexander Viro To: Alan Cox cc: Linus Torvalds , Olaf Dietsche , "Theodore Ts'o" , Dax Kelson , Rusty Russell , Linux Kernel Mailing List , davej@suse.de Subject: Re: Filesystem Capabilities in 2.6? In-Reply-To: <1036328636.29646.30.camel@irongate.swansea.linux.org.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1003 Lines: 22 On 3 Nov 2002, Alan Cox wrote: > The problem with this is its nontrivial to set up all the rules. Being > able to use namespaces to revoke rights is a big help. If we were to add > a capability for 'getting out of chroot' then we can also combine it > with chroot to drop users into an unpriviledged universe from which they > cannot escape because we took away the chroot stuff and we took away > rawio and so on No messing with chroot needed - just a way to irrevertibly turn off the ability (for anybody) to do mounts/umounts in a given namespace and ability to clone that namespace. Then give them ramfs for root and bind whatever you need in there. No breaking out of that, since there is nothing below their root where they could break out to... - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/