Re: [patch 2/3] lsm: add bsdjail module

[Herbert Poetzl]

On Mon, Oct 11, 2004 at 02:47:29PM +0100, Alan Cox wrote:
> On Sul, 2004-10-10 at 11:41, Christoph Hellwig wrote:
> > Your filesystem handling code is completely superflous (and buggy).  Please
> > remove all the code dealing with chroot-lookalikes.  In your userland script
> > you simpl have to clone(.., CLONE_NEWNS) to detach your namespace from your
> > parent, then you can lazly unmount all filesystems and setup your new namespace
> > before starting the jail.  The added advantage is that you don't need any
> > cludges to keep the user from exiting the chroot.
> 
> AF_UNIX socket and fchdir().
> 
> That however requires a co-operator outside the chroot so doesn't seem
> to be a problem. I like the CLONE approach, its a lot cleaner.

and it works well, because we use it for almost
a year now on linux-vserver ;)

best,
Herbert

> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/