Re: BSD jail

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Quoting Serge E. Hallyn ([email protected])
>Quoting Joshua Hudson ([email protected]):
> Why would you want a virtual network device implementation? The whole
>
>So that a jailed process can use the net but can't use your network
>address (intercept ssh, imap/stunnel, etc).

[snip]

>But in the end vserver with read-only bind mounts seems a better way to
>go imo.
Latest version of linux vserver source: 100K bzipped
Latest version of linux-jail: 34K uncompressed

To build a virtual network device requires code for the device, code
for routing the device
in the kernel, some way to tell the router that this machine is hosted
through the host
machine's ethernet card, and control of which processes use which
network devices.

Way too much work for something intended to be simple and have essentially no
overhead.  All this work only gets jailed processes the ability to use
127.0.0.1.
The rest I can already do with eth0:1 and the specs for jail(2) from BSD.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]
  Powered by Linux