dcsimg
Linux Today: Linux News On Internet Time.





KernelTrap: BSD Jail With LSM Framework

Sep 15, 2004, 07:00 (0 Talkback[s])

"Serge Hallyn posted a set of three patches to the lkml that together implement a subset of the BSD Jail functionality into the Linux kernel using the Linux Security Modules (LSM) framework. Serge explains that with the patch, 'a process in a jail lives under a chroot which is not vulnerable to the well-known chdir(...)(etc)chroot(.) attack against normal chroots, and may be locked to one ip address.'

"The third patch in the set contains documentation for the module, which notes that in addition to the features listed above, if a process is in a jail it cannot mount or unmount, it cannot send signals outside of the jail, it cannot ptrace processes outside of the jail, it cannot create devices, it cannot renice processes, it cannot load or unload kernel modules, it cannot change network settings, and it cannot see the contents of /proc/ entries of processes not within the same jail..."

Complete Story

Related Stories: