Re: [RFC][PATCH] Add LSM sysctl hook to 2.5.59

From: Russell Coker (russellat_private)
Date: Sun Jan 19 2003 - 17:05:41 PST

  • Next message: Crispin Cowan: "Re: [RFC][PATCH] Add LSM sysctl hook to 2.5.59"

    On Mon, 20 Jan 2003 01:43, Christoph Hellwig wrote:
    > On Mon, Jan 20, 2003 at 01:39:39AM +0100, Russell Coker wrote:
    > > > What's the reason you can't just live with DAC for sysctls?
    > >
    > > What exactly do you mean by "live with DAC" in this context?  If you mean
    > > "allow UID==0 processes to do whatever they like" then it's not going to
    > > work for any sort of chroot setup.
    >
    > This means check the unix file permissions / ACLs only overriden by
    > CAP_FOWNER processes.
    
    I don't think that would do for my chroot environments.  I want to have root 
    owned processes running in a chroot with no ability to escape or to affect 
    the outside environment (and proc is mounted in the chroot).
    
    -- 
    http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
    http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
    http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
    http://www.coker.com.au/~russell/  My home page
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Sun Jan 19 2003 - 17:06:16 PST