[OpenWrt-Devel] [PATCH procd v2 0/5] jail work
blogic at openwrt.org
Thu Aug 27 06:18:21 EDT 2015
On 26/08/2015 18:20, Etienne Champetier wrote:
> 2015-08-26 15:48 GMT+02:00 John Crispin <blogic at openwrt.org
> <mailto:blogic at openwrt.org>>:
> On 26/08/2015 01:00, Etienne CHAMPETIER wrote:
> > This patch series rework a bit ujail,
> > and add capabilities support to it
> > Seccomp filter are very powerful but not totally generic,
> > each arch can have different set of syscalls,
> > each libc can use different syscall for the same function,
> > and seccomp isn't supported on all arch.
> > Capabilities are more high level, but still can restrict
> > jail to a sane minimum of privileges.
> > Patch 4 is a bit big and i can split it if needed, just tell me how
> will have a closer look next few days
> forgot to say it's tested on ar71xx with CC (and also on ubuntu 14.04)
> there seem to be a way to escape from the rebind mount jail that QCA has
> more than one ;) can you share? (with root rights you can kexec, mount
> /dev, ...)
well if you are root you are root and can delete the bootloader. the
idea of the jail is that you are not root.
i will prvide details later on
> that's why you really need to limit rights with capabilities drop or
> seccomp filter
> (i'm adding a vague warning in usage)
why do you want to run a privileged user and restrict is perms rather
than just use an unprivileged user ?
> and i have not had the time yet to finish my jailfs module.
> with my patches you don't see all the bind mount anymore ("in the host"),
> they are only in the jail mount namespace.
> to see the mounts inside the jail you can still do
> cat /proc/<jailed process pid>/mounts
we dont want rebind mounts at all, they were only an intermediate solution
> runs and loads, i can do mounts and access files inside them using
> normal shell calls. however if is point a jail instance at the
> mountpoint it oops horribly. i suspect that i am either using vfs wrong
> or am missing locking/ref-counting somewhere. i'll throw the code onto
> github later today or tomorrow and post the link. maybe someone with
> more knowledge of vfs can help fix it.
> what problem are you fixing with jailfs? (real question/to be sure there
> is no simpler solution)
jailfs is similar overlayfs as it has a lower dir that we overlay but
now with changes but with a set of filter rules ... consider it like a
firewall for file i/o
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
More information about the openwrt-devel