Re: [RFC][PATCH] Add LSM sysctl hook to 2.5.59

From: Russell Coker (russellat_private)
Date: Sun Jan 19 2003 - 17:05:41 PST

  • Next message: Crispin Cowan: "Re: [RFC][PATCH] Add LSM sysctl hook to 2.5.59"

    On Mon, 20 Jan 2003 01:43, Christoph Hellwig wrote:
    > On Mon, Jan 20, 2003 at 01:39:39AM +0100, Russell Coker wrote:
    > > > What's the reason you can't just live with DAC for sysctls?
    > >
    > > What exactly do you mean by "live with DAC" in this context?  If you mean
    > > "allow UID==0 processes to do whatever they like" then it's not going to
    > > work for any sort of chroot setup.
    > This means check the unix file permissions / ACLs only overriden by
    > CAP_FOWNER processes.
    I don't think that would do for my chroot environments.  I want to have root 
    owned processes running in a chroot with no ability to escape or to affect 
    the outside environment (and proc is mounted in the chroot).
    --   My NSA Security Enhanced Linux packages  Bonnie++ hard drive benchmark    Postal SMTP/POP benchmark  My home page
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Sun Jan 19 2003 - 17:06:16 PST