Re: Anyone tried the "vserver" patch?

From: Chris Wright (chrisat_private)
Date: Wed Dec 05 2001 - 16:58:16 PST

  • Next message: Chris Wright: "Re: free inode security blob"

    * Timothy Covell (timothy.covellat_private) wrote:
    > I've been using the vserver patch for over a month now.
    > See:
    > It's a bit like BSD's "Jail" on steroids.  I've been happy
    > with although I'm behind a firewall, so I'm not getting
    > hit much  AFAIK ;-).  Anyhow, I would be interested
    > in the opinion of the "cognescenti".    
    i haven't used it a lot, but i have read the kernel portion of the patch.
    vserver seems pretty functional. although, i do believe there are cases
    which allow processes in different contexts to exchange data, this can
    compromise security, but as vserver matures, those will get worked out.
    conceptually, it's a nice and simple idea, which is appealing (especially
    for ease of administration).
    a couple things i don't like:
    - i persnoally don't like the reliance on chroot(), as it wastes disk space
      -- and no i don't like the vunify solution either.  (also, make note...if
      your vserver has CAP_SYS_CHROOT, the root user in the vserver can break
    - i don't like that it touches ext2 and ext3 directly.  this makes it
      brittle w.r.t. filesystems (something we specifically don't do in LSM).
    i've got a partway implemented vserver LSM module, but it will require
    some changes to LSM before i'll be able to complete it.  the primary
    issue is something that al viro plans to address in the 2.5 VFS
    enhancements.  and given the current scheduler design, we will never be
    able to support his scheduler extensions (read: still have to patch
    kernel. hopefully a more modular schedular will help this).
    another issue, which would need to be addressed in LSM in general, is
    the ability to return different data to the user based on the vserver
    context.  currently this is not possible in all LSM syscall paths.
    > (I apologize to Jack Gelinas for posting if he wasn't
    > interested in lots of publicity)
    heh, he has posted to lkml, so i don't think publicity is a problem ;-)
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 17:08:03 PST