Attached is a patch to implement a subset of the BSD Jail functionality as an LSM. For a detailed description of BSD Jail, see http://docs.freebsd.org/44doc/papers/jail/jail.html This LSM provides a chroot-like environment which cannot be escaped by chdir(..) chroot escapes. Secondly, it supports locking processes which are in a jail to a particular IP address. Usage: echo -n "root /mnt/second_disk" > /proc/$$/attr/exec exec /bin/sh This will simply give a new shell rooted under /mnt/second_disk. echo -n "root /mnt/second_disk" > /proc/$$/attr/exec echo -n "ip 192.168.2.101" > /proc/$$/attr/exec exec /bin/sh This will again lock a new shell under /mnt/second_disk. Additionally, processes under this jail will only be permitted to use 192.168.2.101. Outbound connections will appear to come from this address, and processes may only listen to this address. Attempts to listen to other addresses are denied. Attempts to listen to all INADDR_ANY are denied. Any number of jails may be created. A process inside a jail of course cannot create a new jail. Comments are very much appreciated. -serge
This archive was generated by hypermail 2b30 : Fri Dec 19 2003 - 16:12:55 PST