BSD Jail LSM patch

From: Serue Hallyen (serue@private)
Date: Fri Dec 19 2003 - 16:11:29 PST

  • Next message: James Morris: "Re: BSD Jail LSM patch"

    Attached is a patch to implement a subset of the BSD Jail functionality
    as an LSM.  For a detailed description of BSD Jail, see
    http://docs.freebsd.org/44doc/papers/jail/jail.html
    
    This LSM provides a chroot-like environment
     which cannot be escaped by
    chdir(..) chroot escapes.
      Secondly, it supports locking processes
    which are in a jail to a
     particular IP address.
    
    Usage:
      echo -n "root /mnt/second_disk" > /proc/$$/attr/exec
      exec /bin/sh
    
    This will simply give a new shell rooted under /mnt/second_disk.
    
      echo -n "root /mnt/second_disk" > /proc/$$/attr/exec
      echo -n "ip 192.168.2.101" > /proc/$$/attr/exec
      exec /bin/sh
    
    This will again lock a new shell under /mnt/second_disk.  Additionally,
    processes under this jail will only be permitted to use 192.168.2.101.
    Outbound connections will appear to come from this address, and
    processes
     may only listen to this address.  Attempts to listen to other
    addresses
     are denied.  Attempts to listen to all INADDR_ANY are
    denied.
    
    Any number of jails may be created.  A process inside a jail of course
    cannot create a new jail.
    
    Comments are very much appreciated.
    
    -serge
    
    
    
    
    



    This archive was generated by hypermail 2b30 : Fri Dec 19 2003 - 16:12:55 PST