|| ||"Serge E. Hallyn" <hallyn@CS.WM.EDU>|
|| ||dirjail module|
|| ||Mon, 10 Nov 2003 23:42:26 -0500|
Attached are the header comments for a new LSM. I wrote it a few
months ago to address a particular need in a large-scale installation
for which DTE would have been inefficient. The module source can be
found at http://www.cs.wm.edu/~hallyn/dirjail.c.
I'll be curious to see if anyone else sees any use for this.
* File: dirjail.c
* Description: Intended as an efficient prison for suspect child processes.
* Assume a large set of users. Each has a directory under, say,
* /home/sxx/username, where xx is a number from 00-03, and username
* is the account name. Their files may be served and processed by
* system processes and scripts (apache, accounting, etc). However,
* they may also, under /home/sxx/username, place their own scripts. You
* wish to confine the scripts to MOSTLY access only /home/sxx/username.
* modprobe dirjail
* for count in 00 01 02 03; do
* echo -n /home/s$count > /proc/jails
* echo -n /bin > /proc/exec_exceptions
* echo -n /lib > /proc/exec_exceptions
* echo -n /tmp > /proc/rw_exceptions
* echo -n /proc > /proc/read_exceptions
* Now a script started from under /home/s01/user3 will be confined to
* only read, write, and execute files under /home/s01/user3. Exceptions
* to this are:
* it may execute anything under /bin
* it may read and write under /tmp
* it may read under /proc
* For the sake of simplicity, directory rx is always allowed.
* However, directory write and file rwx are restricted.
* Any children of said process will be convined to the same jail.
* Copyright (C) 2001 Serge E. Hallyn <firstname.lastname@example.org>
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.