Re: BSD jail - Joshua Hudson

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Joshua Hudson <joshudson@gmail.com>
To: "Serge E. Hallyn" <serue@us.ibm.com>, linux-kernel@vger.kernel.org
Subject: Re: BSD jail
Date: Sat, 13 Aug 2005 09:33:29 -0700	[thread overview]
Message-ID: <bda6d13a0508130933bdbc46a@mail.gmail.com> (raw)
In-Reply-To: <20050813143335.GA5044@IBM-BWN8ZTBWA01.austin.ibm.com>

On 8/13/05, Serge E. Hallyn <serue@us.ibm.com> wrote:
> The latest version (which is still quite old) is at
> http://www.sf.net/projects/linuxjail and does have ipv6 support.  The last
> time I submitted it, Christoph had objected to the way the networking was
> done in general.  I've tried twice to float a generalized "per-process
> network namespaces" patch, but haven't really found a good approach.
> 
> I suspect that the best approach would be to take the linux-vserver
> ngnet implementation and convert it to a standalone network namespace
> plus virtual network device implementation.  Do you care to give this
> a try?
> 
> thanks,
> -serge

Why would you want a virtual network device implementation? The whole
point of jail()
is a replacement for chroot() for housing untrusted root processes in
a lightweight
manner as reasonable.  I think in one way at least, I have restricted the manner
of jail behavior better than the current linuxjail, by turning off
capabilities rather than
blocking mknod(), mount(), etc.

I do like the idea of patching in through LSM, however not everything
can be done there.
In particular, I could escape from the jail as implemented there by a
classic chroot()
trick.

next prev parent reply	other threads:[~2005-08-13 16:33 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-08-13  0:47 BSD jail Joshua Hudson
2005-08-13 14:33 ` Serge E. Hallyn
2005-08-13 16:33   ` Joshua Hudson [this message]
2005-08-14 11:56     ` Serge E. Hallyn
2005-08-14 21:34       ` Joshua Hudson
2005-08-14 23:25       ` Joshua Hudson
2005-08-16  1:35         ` Joshua Hudson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bda6d13a0508130933bdbc46a@mail.gmail.com \
    --to=joshudson@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=serue@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.