Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261320AbVBGWyK (ORCPT ); Mon, 7 Feb 2005 17:54:10 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261336AbVBGWwj (ORCPT ); Mon, 7 Feb 2005 17:52:39 -0500 Received: from e6.ny.us.ibm.com ([32.97.182.146]:8103 "EHLO e6.ny.us.ibm.com") by vger.kernel.org with ESMTP id S261326AbVBGWvB (ORCPT ); Mon, 7 Feb 2005 17:51:01 -0500 Date: Mon, 7 Feb 2005 16:50:56 -0600 From: "Serge E. Hallyn" To: Lorenzo Hern?ndez Garc?a-Hierro Cc: "linux-kernel@vger.kernel.org" , "linux-security-module@wirex.com" Subject: Re: [PATCH] sys_chroot() hook for additional chroot() jails enforcing Message-ID: <20050207225056.GA2388@IBM-BWN8ZTBWA01.austin.ibm.com> References: <1107814610.3754.260.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1107814610.3754.260.camel@localhost.localdomain> User-Agent: Mutt/1.4.1i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 692 Lines: 18 Hi, If I understood you correct earlier, the only policy you needed to enforce was to prevent double-chrooting. If that is the case, why is it not sufficient to keep a "process-has-used-chroot" flag in current->security which is set on the first call to capable(CAP_SYS_CHROOT) and inherited by forked children, after which calls to capable(CAP_SYS_CHROOT) are refused? Of course if you need to do more, then a hook might be necessary. -serge - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/