From: Jacques Gelinas (jack_at_solucorp.qc.ca)
Date: Fri 26 Oct 2001 - 16:58:11 BST
On Fri, 26 Oct 2001 00:07:46 -0500, Chris Wright wrote
> * Kyle Hayes (khayes_at_quicknet.net) wrote:
> > It is increasingly possible to do things to the kernel and to the system as a
> > whole through proc interfaces. How can that be controlled?
>
> /proc is a filesystem. since lsm easily controls all access to files
> (and filesystems) this is how you control it. and i'd think it should
> behave like vserver's sysctl interface.
Does it offers way to limit visibility of files ?
> > Do the capability sets allow me to control access to the /proc file such that
> > a chrooted vserver "root" user cannot stop IP forwarding for instance? I do
> > not understand all the things that can be controlled via these capability
> > bits, so please bear with my newbie questions :-)
>
> this depends on the /proc entry. it is a combination of file
> permissions and capabilities.
This is already handle properly by the capabilities. /proc/sys is completly
locked by capability. Well, with a one line kernel patch, included in
the vserver patch.
---------------------------------------------------------
Jacques Gelinas <jack_at_solucorp.qc.ca>
vserver: run general purpose virtual servers on one box, full speed!
http://www.solucorp.qc.ca/miscprj/s_context.hc