[OpenWrt-Devel] [PATCH procd v2 0/5] jail work

John Crispin blogic at openwrt.org
Tue Sep 15 00:13:40 EDT 2015



On 15/09/2015 00:11, Etienne Champetier wrote:
> 
> Just some random stuffs:
> 
> -new in kernel 4.3: ambient capabilities (great explanation in the commits)
> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=58319057b7847667f0c9585b9de0e8932b0fdb08
> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=746bf6d64275be0c65b0631d8a72b16f1454cfa1
> This allow to keep capabilities across execve, without being root,
> so if i've understood it right, i can launch a program as nobody, give
> him CAP_NET_ADMIN, and this program can execve 'ip', and we can make it
> work \o/
> 
> -userns are a bit more complicated to setup, but there is great exemples
> in https://github.com/netblue30/firejail
> 
> -I'll definitly give jailfs a try, but since it's there to add security,
> it think it would be great to send it upstream for review before we use
> it for everyone
> 
> -I don't know the performance overhead of cgroup, but memory cgroup
> could be really great for "hungry" softwares like transmission
> 
> -And for caps, my patches should do the trick
> 
> -we should add an option to set PR_SET_NO_NEW_PRIVS (if we don't use
> seccomp),
> another option to switch user,
> another to launch with strace (/etc/init.d/<aaa> strace),
> (and also we need to write the glue code to use all this from the init
> scripts)
> 
> Good night


before adding anything new i will dig through the patches currently
sitting in the queue. once those are in the tree we can see what the
next steps are. i'll also try to throw the jailfs patches on github
today. with the release out the door i now have some free time again.
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list