On 8/13/05, Serge E. Hallyn <[email protected]> wrote:
> The latest version (which is still quite old) is at
> http://www.sf.net/projects/linuxjail and does have ipv6 support. The last
> time I submitted it, Christoph had objected to the way the networking was
> done in general. I've tried twice to float a generalized "per-process
> network namespaces" patch, but haven't really found a good approach.
>
> I suspect that the best approach would be to take the linux-vserver
> ngnet implementation and convert it to a standalone network namespace
> plus virtual network device implementation. Do you care to give this
> a try?
>
> thanks,
> -serge
Why would you want a virtual network device implementation? The whole
point of jail()
is a replacement for chroot() for housing untrusted root processes in
a lightweight
manner as reasonable. I think in one way at least, I have restricted the manner
of jail behavior better than the current linuxjail, by turning off
capabilities rather than
blocking mknod(), mount(), etc.
I do like the idea of patching in through LSM, however not everything
can be done there.
In particular, I could escape from the jail as implemented there by a
classic chroot()
trick.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
|
|