Re: Anyone tried the "vserver" patch?

From: Chris Wright (chrisat_private)
Date: Sat Dec 08 2001 - 15:18:41 PST

  • Next message: Jacques Gelinas: "Re: Anyone tried the "vserver" patch?"

    * Jacques Gelinas (jackat_private) wrote:
    > On Wed, 5 Dec 2001 16:58:16 -0500, Chris Wright wrote
    > > a couple things i don't like:
    > > - i persnoally don't like the reliance on chroot(), as it wastes disk space
    > >   -- and no i don't like the vunify solution either.  (also, make note...if
    > >   your vserver has CAP_SYS_CHROOT, the root user in the vserver can break
    > >   out).
    > No. This has been tested. Since 2.4.10, all tests we did failed.
    cool, thanks for the correction.  i wasn't very clear, and meant
    chroot(2) can be broken.  the reason is chroot(2) does not change the
    cwd.  but, vserver is using chroot(1) which includes the proper
    chdir(2).  sorry for the confusion.
    > > - i don't like that it touches ext2 and ext3 directly.  this makes it
    > >   brittle w.r.t. filesystems (something we specifically don't do in LSM).
    > No way out if we want to have a workable unification with hard links.
    yes, i agree.  but unification has the problem of hard links, meaning all
    vservers have to be in same mount point.  this seems like a limitation
    to me.  it would be nice if read-only wasn't limited to per-superblock
    such that you could effectively mount -o ro --bind.  i know you didn't
    like the granularity limitations of this directory based approach.
    of course, w/out extended attributes you do have to jump through some
    hoops to get file level granularity, and i appreciate the simplicity
    and effectiveness of vserver.
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Sat Dec 08 2001 - 15:28:36 PST