Quoting Eric Van Hensbergen ([email protected]):
> Let's focus on baby steps first, and to me that's:
> a) get rid of holes that allow users to traverse out of a chroot jail
> by using the creation of private name spaces (is anyone working on
> this, did I miss a patch?)
I have tested doing
clone(CLONE_NEWNS);
chdir(/some_jail_dir);
pivot_root(., tmp)
umount2(tmp, MNT_DETACH)
chroot(.)
which appears to prevent escapes from chroot jails. So unless my tests
were insufficient, we don't need additional kernel support. We can just
use something like chroot_ns.c from www.sf.net/projects/linux-jail/.
> b) make CLONE_NEWNS (and any other name space creation mechanisms such
> as the proposed unshare system call) available to normal users
> c) Get the unshare system call adopted as it seems to be generally useful
> d) Get Miklos' unprivileged mount/umount patch adopted in mainline
and I'd say
e) Work towards the shared namespaces, which are really one of the
main reasons not to use namespaces right now.
I know this work is being done, so this isn't so much a request for the
shared namespaces, as just a reminder that this will be one of the major
pieces of functionality to consider along with the ones you listed.
thanks,
-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
