vserver development mailing list: Re: Re: vserver LSM progress

Re: Re: vserver LSM progress:
vserver development mailing list
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]

About this list	Date view	Thread view	Subject view	Author view	Attachment view

From: Kyle Hayes (khayes_at_quicknet.net)
Date: Fri 26 Oct 2001 - 17:09:58 BST

Next message: Sam Vilain: "Issues & bugs with vserver-0.5"
Previous message: Jacques Gelinas: "re: Re: vserver LSM progress"
In reply to: Jacques Gelinas: "re: Re: vserver LSM progress"
Next in thread: Chris Wright: "Re: vserver LSM progress"

On Friday 26 October 2001 08:58, Jacques Gelinas wrote:
> On Fri, 26 Oct 2001 00:07:46 -0500, Chris Wright wrote
>
> > * Kyle Hayes (khayes_at_quicknet.net) wrote:
> > > It is increasingly possible to do things to the kernel and to the
> > > system as a whole through proc interfaces. How can that be
> > > controlled?
> >
> > /proc is a filesystem. since lsm easily controls all access to files
> > (and filesystems) this is how you control it. and i'd think it should
> > behave like vserver's sysctl interface.
>
> Does it offers way to limit visibility of files ?
>
> > > Do the capability sets allow me to control access to the /proc file
> > > such that a chrooted vserver "root" user cannot stop IP forwarding for
> > > instance? I do not understand all the things that can be controlled
> > > via these capability bits, so please bear with my newbie questions :-)
> >
> > this depends on the /proc entry. it is a combination of file
> > permissions and capabilities.
>
> This is already handle properly by the capabilities. /proc/sys is completly
> locked by capability. Well, with a one line kernel patch, included in
> the vserver patch.

Ah, good. What I'd really like would be something that would limit the
visibility of all processes in /proc to those in the current security context
and to make sure that nearly everything else in /proc was read-only at least.
/proc/sys is good.

I looked through the documentation but did not see a list of what is
controlled. Where could I find that information? Is this part of Linux
capability sets in general?

Best,
Kyle

-- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
MicroTelco Services saves money on every Fax:
- Fax to email (FREE)
- Fax to PSTN based Fax (Up to 95% Savings)
- Fax Broadcasting: Send 100s of faxes to fax machines
and email addresses in the time it takes to send just one!
===========================================================
    So send a fax today and let us know what you think! 
       For more info. visit: www.internetfaxjack.com
===========================================================

Next message: Sam Vilain: "Issues & bugs with vserver-0.5"
Previous message: Jacques Gelinas: "re: Re: vserver LSM progress"
In reply to: Jacques Gelinas: "re: Re: vserver LSM progress"
Next in thread: Chris Wright: "Re: vserver LSM progress"

About this list	Date view	Thread view	Subject view	Author view	Attachment view

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 06 Nov 2002 - 07:03:38 GMT by hypermail 2.1.3