[OpenWrt-Devel] [PATCH procd v2 0/5] jail work

John Crispin blogic at openwrt.org
Thu Aug 27 06:18:21 EDT 2015 


On 26/08/2015 18:20, Etienne Champetier wrote:
> 
> 
> 2015-08-26 15:48 GMT+02:00 John Crispin <blogic at openwrt.org
> <mailto:blogic at openwrt.org>>:
> 
> 
> 
>     On 26/08/2015 01:00, Etienne CHAMPETIER wrote:
>     > This patch series rework a bit ujail,
>     > and add capabilities support to it
> 
>     nice
> 
>     >
>     > Seccomp filter are very powerful but not totally generic,
>     > each arch can have different set of syscalls,
>     > each libc can use different syscall for the same function,
>     > and seccomp isn't supported on all arch.
>     >
>     > Capabilities are more high level, but still can restrict
>     > jail to a sane minimum of privileges.
> 
> 
>     >
>     > Patch 4 is a bit big and i can split it if needed, just tell me how
> 
>     will have a closer look next few days
> 
> forgot to say it's tested on ar71xx with CC (and also on ubuntu 14.04)
>  
> 
>     there seem to be a way to escape from the rebind mount jail that QCA has
>     found
> 
> more than one ;) can you share? (with root rights you can kexec, mount
> /dev, ...)

well if you are root you are root and can delete the bootloader. the
idea of the jail is that you are not root.

i will prvide details later on

> that's why you really need to limit rights with capabilities drop or
> seccomp filter
> (i'm adding a vague warning in usage)

why do you want to run a privileged user and restrict is perms rather
than just use an unprivileged user ?

>  
> 
>     and i have not had the time yet to finish my jailfs module.
> 
> with my patches you don't see all the bind mount anymore ("in the host"),
> they are only in the jail mount namespace.
> 
> to see the mounts inside the jail you can still do
> cat /proc/<jailed process pid>/mounts

we dont want rebind mounts at all, they were only an intermediate solution

> 
>     it
>     runs and loads, i can do mounts and access files inside them using
>     normal shell calls. however if is point a jail instance at the
>     mountpoint it oops horribly. i suspect that i am either using vfs wrong
>     or am missing locking/ref-counting somewhere. i'll throw the code onto
>     github later today or tomorrow and post the link. maybe someone with
>     more knowledge of vfs can help fix it.
> 
> what problem are you fixing with jailfs? (real question/to be sure there
> is no simpler solution)
> 


jailfs is similar overlayfs as it has a lower dir that we overlay but
now with changes but with a set of filter rules ... consider it like a
firewall for file i/o

> 
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list