Re: Anyone tried the "vserver" patch?

• Previous message: Timothy Covell: "Anyone tried the "vserver" patch?"
• In reply to: Timothy Covell: "Anyone tried the "vserver" patch?"
• Next in thread: Jacques Gelinas: "Re: Anyone tried the "vserver" patch?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Timothy Covell (timothy.covellat_private) wrote:
 
> I've been using the vserver patch for over a month now.
> See: http://www.solucorp.qc.ca/miscprj/s_context.hc
> It's a bit like BSD's "Jail" on steroids.  I've been happy
> with although I'm behind a firewall, so I'm not getting
> hit much  AFAIK ;-).  Anyhow, I would be interested
> in the opinion of the "cognescenti".    

i haven't used it a lot, but i have read the kernel portion of the patch.
vserver seems pretty functional. although, i do believe there are cases
which allow processes in different contexts to exchange data, this can
compromise security, but as vserver matures, those will get worked out.
conceptually, it's a nice and simple idea, which is appealing (especially
for ease of administration).

a couple things i don't like:
- i persnoally don't like the reliance on chroot(), as it wastes disk space
  -- and no i don't like the vunify solution either.  (also, make note...if
  your vserver has CAP_SYS_CHROOT, the root user in the vserver can break
  out).

- i don't like that it touches ext2 and ext3 directly.  this makes it
  brittle w.r.t. filesystems (something we specifically don't do in LSM).

i've got a partway implemented vserver LSM module, but it will require
some changes to LSM before i'll be able to complete it.  the primary
issue is something that al viro plans to address in the 2.5 VFS
enhancements.  and given the current scheduler design, we will never be
able to support his scheduler extensions (read: still have to patch
kernel. hopefully a more modular schedular will help this).

another issue, which would need to be addressed in LSM in general, is
the ability to return different data to the user based on the vserver
context.  currently this is not possible in all LSM syscall paths.

> (I apologize to Jack Gelinas for posting if he wasn't
> interested in lots of publicity)

heh, he has posted to lkml, so i don't think publicity is a problem ;-)

cheers,
-chris

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Chris Wright: "Re: free inode security blob"
• Previous message: Timothy Covell: "Anyone tried the "vserver" patch?"
• In reply to: Timothy Covell: "Anyone tried the "vserver" patch?"
• Next in thread: Jacques Gelinas: "Re: Anyone tried the "vserver" patch?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 17:08:03 PST