Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Thu, 11 Jul 2002 19:54:52 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Thu, 11 Jul 2002 19:54:51 -0400 Received: from cerebus.wirex.com ([65.102.14.138]:57326 "EHLO figure1.int.wirex.com") by vger.kernel.org with ESMTP id ; Thu, 11 Jul 2002 19:54:51 -0400 Date: Thu, 11 Jul 2002 16:56:36 -0700 From: Chris Wright To: Shaya Potter Cc: linux-kernel@vger.kernel.org Subject: Re: jail() system call (was Re: prevent breaking a chroot() jail?) Message-ID: <20020711165636.B21285@figure1.int.wirex.com> Mail-Followup-To: Shaya Potter , linux-kernel@vger.kernel.org References: <200207051516.g65FGYY20854@marc2.theaimsgroup.com> <20020705161750.GO1548@niksula.cs.hut.fi> <1026428914.8085.11.camel@zaphod> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <1026428914.8085.11.camel@zaphod>; from spotter@cs.columbia.edu on Thu, Jul 11, 2002 at 07:08:13PM -0400 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1148 Lines: 27 * Shaya Potter (spotter@cs.columbia.edu) wrote: > Wow, this is what I need. Would there be any interest in having this > syscall in Linux, as I need to design something like this anyways for > the research we are doing. > > A first stab implementation would probably be as a module (as our > research is based on a being usable just as a loadable module, w/o any > direct kernel patch need, therefore until something is accepted into the > kernel, we would need it like this), but we'd prefer it, and it > definitely would be cleaner to have the jail tests integrated into the > syscall and not wrapped by the module. You could implement this policy in a security module. http://lsm.immunix.org. I don't believe you can do all of jail() with just capabilities, and as a module it can always be extended. thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/