Re: [PATCH] sys_chroot() hook for additional chroot() jails enforcing

From: Chris Wright (chrisw@private)
Date: Mon Feb 07 2005 - 14:34:27 PST


* Lorenzo Hernández García-Hierro (lorenzo@private) wrote:
> Attached you can find a patch which adds a new hook for the sys_chroot()
> syscall, and makes us able to add additional enforcing and security
> checks by using the Linux Security Modules framework (ie. chdir
> enforcing, etc).

If you want to make a change like this, collapse the
capable(CAP_SYS_CHROOT) check behind this hook, no point having two
outcalls from same call site.  What logic do you expect to put behind
the chroot() hook?

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net



This archive was generated by hypermail 2.1.3 : Mon Feb 07 2005 - 14:34:55 PST