From mboxrd@z Thu Jan  1 00:00:00 1970
From: Hubert Chan <hubert@uhoreg.ca>
Subject: Re: Using fs views to isolate untrusted processes: I need an
 assistant architect in the USA for Phase I of a DARPA funded linux kernel
 project
Date: Mon, 02 Aug 2004 13:29:12 -0400
Sender: news <news@sea.gmane.org>
Message-ID: <87r7qpo3dj.fsf@uhoreg.ca>
References: <410D96DC.1060405@namesys.com> <200408021112.08981.christian.mayrhuber@gmx.net>
Mime-Version: 1.0
Return-path: <reiserfs-list-return-19918-reiserfs=m.gmane.org@namesys.com>
list-help: <mailto:reiserfs-list-help@namesys.com>
list-unsubscribe: <mailto:reiserfs-list-unsubscribe@namesys.com>
list-post: <mailto:reiserfs-list@namesys.com>
Errors-To: flx@namesys.com
List-Id: <reiserfs-devel.vger.kernel.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: reiserfs-list@namesys.com

>>>>> "Christian" == Christian Mayrhuber <christian.mayrhuber@gmx.net> writes:

Christian> Linux VServer might be a project that already tries to
Christian> accomplish this task.

After poking around the linux-veserver.org page, it sounds like Linux
VServer is completely different from what Hans/Namesys is trying to do.
Linux VServer still uses chroot.  From what I understand about views,
you don't need to set up a chroot; applications run under the same
filesystem as everything else.  You just need to, for example, say that
apache is allowed to read from /etc/apache/*, /var/www, /usr/lib, etc.,
and is allowed to write to /var/log/apache/*.  Then, even though apache
is running under the same filesystem, it won't even be able to see, say
/etc/passwd.

-- 
Hubert Chan <hubert@uhoreg.ca> - http://www.uhoreg.ca/
PGP/GnuPG key: 1024D/124B61FA
Fingerprint: 96C5 012F 5F74 A5F7 1FF7  5291 AF29 C719 124B 61FA
Key available at wwwkeys.pgp.net.   Encrypted e-mail preferred.