All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jochen Bern <bern@ti.uni-trier.de>
To: linux-kernel@vger.kernel.org
Subject: procfs and chroot() ... ?
Date: Tue, 14 Sep 2004 03:30:29 +0200	[thread overview]
Message-ID: <414649B5.4000701@ti.uni-trier.de> (raw)

I'm trying to chroot() a server that needs to read one readonly pseudo 
file from /proc . I tried to pinpoint my options to do so ...

-- The alternative to accessing this one pseudo file would be to grant
    the server access to /dev/kmem ... NOT ... ANY ... BETTER!! 8-}
-- Mounting two procfs instances (one normal, one inside the chroot())
    and setting restrictive permissions on the latter makes identical
    changes to the former. (I assume that'ld be the same for ACLs?)
-- Deploying SELinux ... will have to do a good deal of reading to
    even find out what'ld be involved in that ...
-- Mounting a "second" procfs, chroot()ing into the exact subdir the
    file is in, and mounting non-procfs stuff (like the etc dir with the
    configs) *over* the sub-subdirs (ARGH!) would *happen* to rid me of
    all *writable* pseudo files, but still provide read access to way
    more info that I'ld want to provide to the server ...
(- I'll try to Use The Source (tm) so that the server will not close the
    pseudo file, and does the chroot() itself after opening it, but let's
    assume for the sake of the argument that I won't succeed in that.)

Is there an official way (or *should* there be one) to have only *part* 
of a procfs mounted into a chroot() jail?

Kind regards,
								J. Bern

             reply	other threads:[~2004-09-14  1:30 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-09-14  1:30 Jochen Bern [this message]
2004-09-14  2:53 ` procfs and chroot() ... ? viro
2004-09-15  3:41   ` Nuno Silva

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=414649B5.4000701@ti.uni-trier.de \
    --to=bern@ti.uni-trier.de \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.