Re: dirjail module

From: Serge E. Hallyn (hallyn@private)
Date: Mon Nov 10 2003 - 21:10:49 PST

Next message: Valdis.Kletnieks@private: "Re: dirjail module"

Previous message: Valdis.Kletnieks@private: "Re: dirjail module"
In reply to: Valdis.Kletnieks@private: "Re: dirjail module"
Next in thread: Valdis.Kletnieks@private: "Re: dirjail module"
Reply: Valdis.Kletnieks@private: "Re: dirjail module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Oops - I notice I left out one key command, and messed up the
pathnames.

Once you say "echo 1 > /proc/dirjail/status", the dirjail module
begins enforcing.  The parameters entered into the files under
/proc/dirjail then apply to everyone.  So the correct sequence of
commands should have been:

 *  modprobe dirjail
 *  for count in 00 01 02 03; do
 *    echo -n /home/s$count > /proc/dirjail/jails
 *  done
 *  echo -n /bin > /proc/dirjail/exec_exceptions
 *  echo -n /lib > /proc/dirjail/exec_exceptions
 *  echo -n /tmp > /proc/dirjail/rw_exceptions
 *  echo -n /proc > /proc/dirjail/read_exceptions
 *  echo 1 > /proc/dirjail/status

(then echo 0 > /proc/dirjail/status to stop enforcing)

> On Mon, 10 Nov 2003 23:42:26 EST, "Serge E. Hallyn" <hallyn@private>  said:
> > *  for count in 00 01 02 03; do
> > *    echo -n /home/s$count > /proc/jails
> > *  done
> 
> Semantic question here: Is /home/s01 the jail?  If so, are things confined
> to /home/s01/usera and /home/s01/userb able to reference each other?

I guess I've been calling /home/s01 the (or a) "jail parent."  Then /home/s01/u1
would be a jail.  That was just more concise than having to list each of 100k
user directories.

> If not, do you have to set up a jail per user, and the intended
> semantic was 'echo /home/s*/* > /proc/jails'?

Nope.  Once the parameters are set up, they apply to everyone.

(As probably would have been much clearer had i sent out a correct
description!)

> >  *  echo -n /bin > /proc/exec_exceptions
> >  *  echo -n /lib > /proc/exec_exceptions
> 
> I'll bite.  Should > and >> have different semantics here? (If not,
> how do you do a multi-value? In one write with embedded \n or something?)

Repeated writes.  Each write should be one line, not ending in newline
(just to keep the code short), and results in an addition to the hash
tables.

> Is it acceptable in the general case to have one system-wide value
> for exec_exceptions?

You do not specify separate exception lists for each jail.  If you say

exec -n /bin > /proc/dirjail/exec_exceptions
exec -n /usr/lib/perl > /proc/dirjail/exec_exceptions
exec -n /lib > /proc/dirjail/exec_exceptions

then for all processes which are in any jail, they will be able to
execute anything under /bin or /lib, plus /usr/bin/perl.

> What's the advantage of doing this rather than doing a 'mount --bind' to
> populate a chroot jail?

The fact that, in the situation I was looking at, there were 100k users,
so the possibility of millions of chroot jails.

thanks,
-serge

Next message: Valdis.Kletnieks@private: "Re: dirjail module"
Previous message: Valdis.Kletnieks@private: "Re: dirjail module"
In reply to: Valdis.Kletnieks@private: "Re: dirjail module"
Next in thread: Valdis.Kletnieks@private: "Re: dirjail module"
Reply: Valdis.Kletnieks@private: "Re: dirjail module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Nov 10 2003 - 21:11:33 PST