Advertisement
Smart VPS: 192 MB RAM, 10 GB disc space, 50 GB data transfer and Virtuozzo OS virtualization solution.
Weekly Edition
Return to the Kernel pageSponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||
BSD Jail LSM patch
Attached is a patch to implement a subset of the BSD Jail functionality as an LSM. For a detailed description of BSD Jail, see http://docs.freebsd.org/44doc/papers/jail/jail.html This LSM provides a chroot-like environment which cannot be escaped by chdir(..) chroot escapes. Secondly, it supports locking processes which are in a jail to a particular IP address. Usage: echo -n "root /mnt/second_disk" > /proc/$$/attr/exec exec /bin/sh This will simply give a new shell rooted under /mnt/second_disk. echo -n "root /mnt/second_disk" > /proc/$$/attr/exec echo -n "ip 192.168.2.101" > /proc/$$/attr/exec exec /bin/sh This will again lock a new shell under /mnt/second_disk. Additionally, processes under this jail will only be permitted to use 192.168.2.101. Outbound connections will appear to come from this address, and processes may only listen to this address. Attempts to listen to other addresses are denied. Attempts to listen to all INADDR_ANY are denied. Any number of jails may be created. A process inside a jail of course cannot create a new jail. Comments are very much appreciated. -serge [2. text/x-patch; jail.diff]... |
|||||||||||||