[OpenWrt-Devel] [PATCH procd v2 0/5] jail work
John Crispin
blogic at openwrt.org
Wed Aug 26 09:48:23 EDT 2015
On 26/08/2015 01:00, Etienne CHAMPETIER wrote:
> This patch series rework a bit ujail,
> and add capabilities support to it
nice
>
> Seccomp filter are very powerful but not totally generic,
> each arch can have different set of syscalls,
> each libc can use different syscall for the same function,
> and seccomp isn't supported on all arch.
>
> Capabilities are more high level, but still can restrict
> jail to a sane minimum of privileges.
>
> Patch 4 is a bit big and i can split it if needed, just tell me how
will have a closer look next few days
there seem to be a way to escape from the rebind mount jail that QCA has
found and i have not had the time yet to finish my jailfs module. it
runs and loads, i can do mounts and access files inside them using
normal shell calls. however if is point a jail instance at the
mountpoint it oops horribly. i suspect that i am either using vfs wrong
or am missing locking/ref-counting somewhere. i'll throw the code onto
github later today or tomorrow and post the link. maybe someone with
more knowledge of vfs can help fix it.
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list