Re: [PATCH] sys_chroot() hook for additional chroot() jails enforcing

• Previous message: Chris Wright: "Re: [PATCH] sys_chroot() hook for additional chroot() jails enforcing"
• In reply to: Lorenzo Hernández García-Hierro: "[PATCH] sys_chroot() hook for additional chroot() jails enforcing"
• Next in thread: Lorenzo Hernández García-Hierro: "Re: [PATCH] sys_chroot() hook for additional chroot() jails enforcing"
• Reply: Lorenzo Hernández García-Hierro: "Re: [PATCH] sys_chroot() hook for additional chroot() jails enforcing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

If I understood you correct earlier, the only policy you needed to
enforce was to prevent double-chrooting.  If that is the case, why is it
not sufficient to keep a "process-has-used-chroot" flag in
current->security which is set on the first call to
capable(CAP_SYS_CHROOT) and inherited by forked children, after which
calls to capable(CAP_SYS_CHROOT) are refused?

Of course if you need to do more, then a hook might be necessary.

-serge

• Previous message: Chris Wright: "Re: [PATCH] sys_chroot() hook for additional chroot() jails enforcing"
• In reply to: Lorenzo Hernández García-Hierro: "[PATCH] sys_chroot() hook for additional chroot() jails enforcing"
• Next in thread: Lorenzo Hernández García-Hierro: "Re: [PATCH] sys_chroot() hook for additional chroot() jails enforcing"
• Reply: Lorenzo Hernández García-Hierro: "Re: [PATCH] sys_chroot() hook for additional chroot() jails enforcing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Feb 07 2005 - 15:08:48 PST