Re: integration with LSM ?

About this list Date view Thread view Subject view Author view Attachment view

From: Sam Vilain (sam_at_vilain.net)
Date: Thu Oct 25 2001 - 15:23:42 EDT


On Tue, 23 Oct 2001 23:00:49 -0200 (BRST)
Rik van Riel <riel_at_conectiva.com.br> wrote:

> One minor nitpick, 'vserver <foo> build' could use 'mount --bind'
> on the 2.4 kernels; this would save both disk space and memory use,
> and 'mount --bind' also accepts options like read only mounts so
> root inside the vservers cannot mess with the files.

For some applications, you WANT root to be able to change the files - ie,
in an ISP environment. However, you want to hard link their libc's, etc,
so that you save memory.

In order to prevent people changing libc's that other vservers are
accessing, you then need to make the files immutable, but then you can't
replace them when you upgrade the vservers.

I've hacked another attribute into the kernel to solve this problem; see
http://sam.vilain.net/immutable/. You also need to patch your e2fsprogs.

--
   Sam Vilain, sam_at_vilain.net     WWW: http://sam.vilain.net/
    7D74 2A09 B2D3 C30F F78E      GPG: http://sam.vilain.net/sam.asc
    278A A425 30A9 05B5 2F13

About this list Date view Thread view Subject view Author view Attachment view

This archive was generated by hypermail 2.1.4 : Mon Aug 19 2002 - 12:01:00 EDT