dirjail module

Attached are the header comments for a new LSM.  I wrote it a few
months ago to address a particular need in a large-scale installation
for which DTE would have been inefficient.  The module source can be
found at http://www.cs.wm.edu/~hallyn/dirjail.c.

I'll be curious to see if anyone else sees any use for this.

-serge

/*
 * File: dirjail.c
 *
 * Description: Intended as an efficient prison for suspect child processes.
 *
 *  Assume a large set of users.  Each has a directory under, say,
 *  /home/sxx/username, where xx is a number from 00-03, and username
 *  is the account name.  Their files may be served and processed by
 *  system processes and scripts (apache, accounting, etc).  However,
 *  they may also, under /home/sxx/username, place their own scripts.  You
 *  wish to confine the scripts to MOSTLY access only /home/sxx/username.
 *
 *  modprobe dirjail
 *  for count in 00 01 02 03; do
 *    echo -n /home/s$count > /proc/jails
 *  done
 *  echo -n /bin > /proc/exec_exceptions
 *  echo -n /lib > /proc/exec_exceptions
 *  echo -n /tmp > /proc/rw_exceptions
 *  echo -n /proc > /proc/read_exceptions
 *
 *  Now a script started from under /home/s01/user3 will be confined to
 *  only read, write, and execute files under /home/s01/user3.  Exceptions
 *  to this are:
 *    it may execute anything under /bin
 *    it may read and write under /tmp
 *    it may read under /proc
 *
 *  For the sake of simplicity, directory rx is always allowed.
 *  However, directory write and file rwx are restricted.
 *
 *  Any children of said process will be convined to the same jail.
 *
 * Copyright (C) 2001 Serge E. Hallyn <hallyn@cs.wm.edu>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 */