Useful sandboxing for privilege separation
Posted Jan 27, 2005 11:13 UTC (Thu) by hmh
In reply to: Securely renting out your CPU with Linux
Parent article: Securely renting out your CPU with Linux
Exactly. Add some read/write-related syscals (epool, select, pool, shutdown, fseek and friends, ioctl, mmap of already open FDs...), plus signal handling, and this code would really be useful to create worker children that simply cannot step outside of their very strict bounds.
Give it two security levels (the first one does not give access to seek, ioctl or mmap, or any other non-socket operations), and it would still be useful for grid computing.
It is a pretty exiting idea, overall. AND it is something we can use everywhere when available easily, unlike SELinux.
to post comments)