Re: BSD jail

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/13/05, Serge E. Hallyn <[email protected]> wrote:
> The latest version (which is still quite old) is at
> http://www.sf.net/projects/linuxjail and does have ipv6 support.  The last
> time I submitted it, Christoph had objected to the way the networking was
> done in general.  I've tried twice to float a generalized "per-process
> network namespaces" patch, but haven't really found a good approach.
> 
> I suspect that the best approach would be to take the linux-vserver
> ngnet implementation and convert it to a standalone network namespace
> plus virtual network device implementation.  Do you care to give this
> a try?
> 
> thanks,
> -serge

Why would you want a virtual network device implementation? The whole
point of jail()
is a replacement for chroot() for housing untrusted root processes in
a lightweight
manner as reasonable.  I think in one way at least, I have restricted the manner
of jail behavior better than the current linuxjail, by turning off
capabilities rather than
blocking mknod(), mount(), etc.

I do like the idea of patching in through LSM, however not everything
can be done there.
In particular, I could escape from the jail as implemented there by a
classic chroot()
trick.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]
  Powered by Linux