Hi, I've been holding off on resubmitting bsdjail until I have (or someone else has) time to implement a generic framework to do something like network namespaces. (The linux-vserver code seems like a good starting point, if someone wants to play) In the interest of providing some sort of hardened chroot ability to linux, here is bsdjail with the network code ripped out. Eventually the rlimit code might also need to be replaced with a CKRM-based solution. Attached are three patches, plus a user-space program to be used as the actual chroot replacement. The first patch, tasklookup.diff, adds a new lsm hook, security_tasklookup, to support the process hiding feature of bsdjail. This is identical to the tasklookup.diff on the linuxjail sf.net project. The second patch, jail.diff, adds the actual bsdjail LSM. This is different than the patch on sf.net/projects/linuxjail, as it no longer contains the network controls. jail-doc.diff adds a documentation file. Finally, chroot_ns.c mimicks the behavior of /usr/sbin/chroot using clone(CLONE_NEWNS) and pivot_root. In other words it simply exports the kernel namespace cloning ability to userspace. Comments appreciated. thanks, -serge -- Serge Hallyn <serue@private>
This archive was generated by hypermail 2.1.3 : Tue Jan 25 2005 - 14:32:03 PST