Merging into the LSM: handling /proc

About this list Date view Thread view Subject view Author view Attachment view

From: Jacques Gelinas (jack_at_solucorp.qc.ca)
Date: Wed Oct 24 2001 - 02:31:08 EDT


I have looked at the LSM and it seems to be the thing we need (and
potentially a thing I need to complete my virtualfs
http://www.solucorp.qc.ca/virtualfs project)

Currently, the LSM is about security; The blob concept is useful and
can replace the context_info structure I am currently using.

I found some feature missing in relation with the vserver project. In no
precise order

The hooks are generally of the form

        ret = security-hooks(...);
        if (!ret){
                Ok, we are allowed to do the job
        }

In some case, it would be useful to allow override

        int done = 0;
        ret = security-hooks (&done,...);
        if (!ret && !done){
                ...
        }

This seems like featurism for the security module, but this can be an issue
for the vserver project. For example, the current kernel patch provides
a per vserver hostname. This is probably doable in user space (modifying
glibc somewhat maybe), but might not be as robust. Several utilities
relies on the hostname to initialise some default. We want vserver to
be as real as possible.

The vserver patch provides a modified view of the processes in /proc. How
can this be build right now ?.

---------------------------------------------------------
Jacques Gelinas <jack_at_solucorp.qc.ca>
vserver: run general purpose virtual servers on one box, full speed!
http://www.solucorp.qc.ca/miscprj/s_context.hc


About this list Date view Thread view Subject view Author view Attachment view

This archive was generated by hypermail 2.1.4 : Mon Aug 19 2002 - 12:01:00 EDT