From: Jacques Gelinas (jack_at_solucorp.qc.ca)
Date: Wed 09 Jan 2002 - 18:25:31 GMT
On Wed, 9 Jan 2002 04:06:45 -0500, David Wagner wrote
> Jacques Gelinas wrote:
> >I have reviewed jail a bit. What should we add in our project to make it
> >a superset of jail ? [...]
>
> One idea might be control over how jailed processes can access the
> network. This is not directly supported in BSD's jail, but two students
> in a security class I taught suggested the following clever trick to
> support this functionality: create a jail with a new IP address (using
> IP aliasing), put the process in this jail, and ensure the process can't
> access any other IP addresses. Then you can restrict how this process
> can use the network by creating IP firewalling rules that mention the
> jail's IP address. For instance, you can configure sendmail so that it
> is only allowed to send and receive incoming packets on port 25 and 53.
> I imagine vserver could support this easily (if it doesn't already).
This is exactly what the vserver does. A vserver is locked on one IP. It can only
bind (service and outgoing) to this IP. If it binds to 0.0.0.0, this is remap to the
allocated IP.
Another feature you can do with that is allocate on routing table per vserver
and use the from address to select the routing table. Since a vserver has to
use its IP address and this is the only one it can use, a vserver is force to
use its routing table. Linux can have 254 different routing table. Playing with that
you can have
different gateway for different vserver
different routing policies/priority per vserver
Note that this feature of the vserver is not vserver specific. It relies on a
new system call called set_ipv4root and it used by a /usr/sbin/chbind utility. Anyone
can do
/usr/sbin/chbind --ip some_IP somecommands
and the command will be locked with this IP. You can also do
/usr/sbin/chbind --ip 1.2.3.4 some command
(I assume 1.2.3.4 is not a valid IP interface of your server) and this command
won't be able to do any networking at all, since attempt to bind will
be remap to 1.2.3.4 and binding to 1.2.3.4 will be reject later by the kernel.
---------------------------------------------------------
Jacques Gelinas <jack_at_solucorp.qc.ca>
vserver: run general purpose virtual servers on one box, full speed!
http://www.solucorp.qc.ca/miscprj/s_context.hc