Re: dirjail module

From: Serge E. Hallyn (hallyn@private)
Date: Mon Nov 10 2003 - 21:10:49 PST

  • Next message: Valdis.Kletnieks@private: "Re: dirjail module"

    Oops - I notice I left out one key command, and messed up the
    pathnames.
    
    Once you say "echo 1 > /proc/dirjail/status", the dirjail module
    begins enforcing.  The parameters entered into the files under
    /proc/dirjail then apply to everyone.  So the correct sequence of
    commands should have been:
    
     *  modprobe dirjail
     *  for count in 00 01 02 03; do
     *    echo -n /home/s$count > /proc/dirjail/jails
     *  done
     *  echo -n /bin > /proc/dirjail/exec_exceptions
     *  echo -n /lib > /proc/dirjail/exec_exceptions
     *  echo -n /tmp > /proc/dirjail/rw_exceptions
     *  echo -n /proc > /proc/dirjail/read_exceptions
     *  echo 1 > /proc/dirjail/status
    
    (then echo 0 > /proc/dirjail/status to stop enforcing)
    
    > On Mon, 10 Nov 2003 23:42:26 EST, "Serge E. Hallyn" <hallyn@private>  said:
    > > *  for count in 00 01 02 03; do
    > > *    echo -n /home/s$count > /proc/jails
    > > *  done
    > 
    > Semantic question here: Is /home/s01 the jail?  If so, are things confined
    > to /home/s01/usera and /home/s01/userb able to reference each other?
    
    I guess I've been calling /home/s01 the (or a) "jail parent."  Then /home/s01/u1
    would be a jail.  That was just more concise than having to list each of 100k
    user directories.
    
    > If not, do you have to set up a jail per user, and the intended
    > semantic was 'echo /home/s*/* > /proc/jails'?
    
    Nope.  Once the parameters are set up, they apply to everyone.
    
    (As probably would have been much clearer had i sent out a correct
    description!)
    
    > >  *  echo -n /bin > /proc/exec_exceptions
    > >  *  echo -n /lib > /proc/exec_exceptions
    > 
    > I'll bite.  Should > and >> have different semantics here? (If not,
    > how do you do a multi-value? In one write with embedded \n or something?)
    
    Repeated writes.  Each write should be one line, not ending in newline
    (just to keep the code short), and results in an addition to the hash
    tables.
    
    > Is it acceptable in the general case to have one system-wide value
    > for exec_exceptions?
    
    You do not specify separate exception lists for each jail.  If you say
    
    exec -n /bin > /proc/dirjail/exec_exceptions
    exec -n /usr/lib/perl > /proc/dirjail/exec_exceptions
    exec -n /lib > /proc/dirjail/exec_exceptions
    
    then for all processes which are in any jail, they will be able to
    execute anything under /bin or /lib, plus /usr/bin/perl.
    
    > What's the advantage of doing this rather than doing a 'mount --bind' to
    > populate a chroot jail?
    
    The fact that, in the situation I was looking at, there were 100k users,
    so the possibility of millions of chroot jails.
    
    thanks,
    -serge
    



    This archive was generated by hypermail 2b30 : Mon Nov 10 2003 - 21:11:33 PST