Re: vserver LSM progress

About this list Date view Thread view Subject view Author view Attachment view

From: Kyle Hayes (
Date: Wed Oct 24 2001 - 13:24:47 EDT

On Wednesday 24 October 2001 09:42, Chris Wright wrote:
> I started making a vserver far so good ;-)
> So far I have compute_creds, fork, ptrace and signal delivery ported
> fairly cleanly. The vserver syscalls are stubbed out (and a cut 'n
> paste away from implementation ;-)
> Trouble spots:
> * as Jacques mentioned, /proc won't go clean. my thought here was adding
> a /proc/vserver entry for the modified proc output, and using filesystem
> operations to protect the various vserver contexts from each other.
> thoughts?
> * the scheduler changes won't fit into LSM as they are. this will
> likely remain a patch, unless we can do something sneaky ;-)
> * the vserver adds four new fields to the task_struct: s_context,
> cap_bset, ipv4root and s_info. these need to be collapsed into one
> struct for LSM. is it necessary to maintain s_context and
> s_info->s_context, which appear to be the same?

I am watching this evolve with great interest.

Since /proc can have sensitive information, but is needed for certain things,
is there some way to put the security context into proc so that

is the root of a normal looking proc. Or, is there a way to filter entries
out that don't "belong" to the security context. Or... some other solution?

It is increasingly possible to do things to the kernel and to the system as a
whole through proc interfaces. How can that be controlled?

Do the capability sets allow me to control access to the /proc file such that
a chrooted vserver "root" user cannot stop IP forwarding for instance? I do
not understand all the things that can be controlled via these capability
bits, so please bear with my newbie questions :-)


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
MicroTelco Services saves money on every Fax:
- Fax to email (FREE)
- Fax to PSTN based Fax (Up to 95% Savings)
- Fax Broadcasting: Send 100s of faxes to fax machines
and email addresses in the time it takes to send just one!
    So send a fax today and let us know what you think! 
       For more info. visit:

About this list Date view Thread view Subject view Author view Attachment view

This archive was generated by hypermail 2.1.4 : Mon Aug 19 2002 - 12:01:00 EDT