[OpenWrt-Devel] [PATCH procd v2 0/5] jail work
Etienne Champetier
champetier.etienne at gmail.com
Wed Aug 26 12:20:24 EDT 2015
2015-08-26 15:48 GMT+02:00 John Crispin <blogic at openwrt.org>:
>
>
> On 26/08/2015 01:00, Etienne CHAMPETIER wrote:
> > This patch series rework a bit ujail,
> > and add capabilities support to it
>
> nice
>
> >
> > Seccomp filter are very powerful but not totally generic,
> > each arch can have different set of syscalls,
> > each libc can use different syscall for the same function,
> > and seccomp isn't supported on all arch.
> >
> > Capabilities are more high level, but still can restrict
> > jail to a sane minimum of privileges.
>
>
> >
> > Patch 4 is a bit big and i can split it if needed, just tell me how
>
> will have a closer look next few days
>
forgot to say it's tested on ar71xx with CC (and also on ubuntu 14.04)
there seem to be a way to escape from the rebind mount jail that QCA has
> found
more than one ;) can you share? (with root rights you can kexec, mount
/dev, ...)
that's why you really need to limit rights with capabilities drop or
seccomp filter
(i'm adding a vague warning in usage)
> and i have not had the time yet to finish my jailfs module.
with my patches you don't see all the bind mount anymore ("in the host"),
they are only in the jail mount namespace.
to see the mounts inside the jail you can still do
cat /proc/<jailed process pid>/mounts
it
> runs and loads, i can do mounts and access files inside them using
> normal shell calls. however if is point a jail instance at the
> mountpoint it oops horribly. i suspect that i am either using vfs wrong
> or am missing locking/ref-counting somewhere. i'll throw the code onto
> github later today or tomorrow and post the link. maybe someone with
> more knowledge of vfs can help fix it.
>
what problem are you fixing with jailfs? (real question/to be sure there is
no simpler solution)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20150826/07ceb75e/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list