Re: very amazing, that bsdjail module

From: Sander (sander@private)
Date: Mon Feb 02 2004 - 14:11:45 PST

Next message: bumblebee@private: "FW_Employees Revenge"

Next in thread: Serge Hallyn: "Re: very amazing, that bsdjail module"
Reply: Serge Hallyn: "Re: very amazing, that bsdjail module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Serge,

Serge Hallyn wrote (ao):
> > Just wanted to say that I'm very amazed by your bsdjail module. The
> > december patch works just great and seems to give a very solid jail.
> > Just found the january patch which I'll try later. Linux needs this
> > patch.
> 
> as you are testing the january jail patch, please let me know if you
> find any usability shortcomings/missing features. In particular, the
> actual Jail in BSD mangles ioctl output so that an ifconfig in a jail
> returns the jail's fake ip address. The bsdjail LSM does not do that
> yet. I'm curious how important this is to potential bsdjail users,
> since implementing this feature will be darned ugly.

I have no experience with the BSD jail, only heard and read about it. So
for me (searching for a working chroot solution) your module is already
incredible, even if it has some missing features compared to the BSD
jail. For me, it is oke not to return the fake ip address. And the less
complex or ugly the module is, the more secure it is, right :-)

Btw, the january patch gives the following output for an -mm patched
kernel during compile. For example, linux kernel 2.6.1 with patches
2.6.2-rc2, 2.6.2-rc2-mm2 and the jail patch:

/usr/src/linux-2.6.2-rc2-mm2/security/bsdjail.c: In function `proc_readdir_cp':
/usr/src/linux-2.6.2-rc2-mm2/security/bsdjail.c:283: warning: implicit declaration of function `lock_kernel'
/usr/src/linux-2.6.2-rc2-mm2/security/bsdjail.c:330: warning: implicit declaration of function `unlock_kernel'

and

WARNING: /lib/modules/2.6.2-rc2-mm2/kernel/security/bsdjail.ko needs unknown symbol unlock_kernel
WARNING: /lib/modules/2.6.2-rc2-mm2/kernel/security/bsdjail.ko needs unknown symbol lock_kernel


After reboot 'modprobe bsdjail' gives this:

FATAL: Error inserting bsdjail (/lib/modules/2.6.2-rc2-mm2/kernel/security/bsdjail.ko): Unknown symbol in module, or unknown parameter (see dmesg)

and dmesg:

bsdjail: Unknown symbol unlock_kernel
bsdjail: Unknown symbol lock_kernel


Of course this is a multi-patched kernel, and now I broke it because of
that and get to keep both pieces :-)  But maybe you are interested in
such a report.

I have one question: If I create a tree for the jail and remove user
root from the /jail/etc/passwd files, does root _really_ not exist there
anymore? Are files from id 0 unremovable from inside the jail? I have to
try setuid files (rm) yet (reboot to old kernel), but wonder about the
added security of a removed root user.

Thanks!

With kind regards, Sander

-- 
Humilis IT Services and Solutions
http://www.humilis.net

Next message: bumblebee@private: "FW_Employees Revenge"
Next in thread: Serge Hallyn: "Re: very amazing, that bsdjail module"
Reply: Serge Hallyn: "Re: very amazing, that bsdjail module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 02 2004 - 14:12:50 PST