Subject: Re: [PATCH] BSD Jail LSM (2/3)
From: Alan Cox <alan@lxorguk.ukuu.org.uk>
To: Serge Hallyn <serue@us.ibm.com>
Cc: Chris Wright <chrisw@osdl.org>,
       Linux Kernel Mailing List <linux-kernel@vger.kernel.org>, akpm@osdl.org
In-Reply-To: <1094847787.2188.101.camel@serge.austin.ibm.com>
References: <1094847705.2188.94.camel@serge.austin.ibm.com>
	 <1094847787.2188.101.camel@serge.austin.ibm.com>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Message-Id: <1094844708.18107.5.camel@localhost.localdomain>
Mime-Version: 1.0
Date: Fri, 10 Sep 2004 20:31:49 +0100
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1065
Lines: 23

On Gwe, 2004-09-10 at 21:23, Serge Hallyn wrote:
> Attached is a patch against the security Kconfig and Makefile to support
> bsdjail, as well as the bsdjail.c file itself.  bsdjail offers
> functionality similar to (but more limited than) the vserver patch.

Looking over the code the first question I would ask is that it supports
AF_INET but not AF_INET6. That seems a bit limited in todays internet
environment. 

> A process in a jail lives under a chroot which is not vulnerable to the
> well-known chdir(...)(etc)chroot(.) attack against normal chroots, and
> may be locked to one ip address.  For additional features, please see
> Documentation/bsdjail.txt, which is included in the next patch.

You can break out with someone co-operating from outside the jail but
that I guess is pretty harmless anyway. 

Alan
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/