From: Chris Wright (chris_at_wirex.com)
Date: Fri 26 Oct 2001 - 08:07:46 BST

• Next message: Kyle Hayes: "Re: vserver LSM progress"
• Previous message: Rik van Riel: "Re: integration with LSM ?"
• In reply to: Kyle Hayes: "Re: vserver LSM progress"
• Next in thread: Kyle Hayes: "Re: vserver LSM progress"
• Reply: Kyle Hayes: "Re: vserver LSM progress"

* Kyle Hayes (khayes_at_quicknet.net) wrote:
> It is increasingly possible to do things to the kernel and to the system as a
> whole through proc interfaces. How can that be controlled?

/proc is a filesystem. since lsm easily controls all access to files
(and filesystems) this is how you control it. and i'd think it should
behave like vserver's sysctl interface.

> Do the capability sets allow me to control access to the /proc file such that
> a chrooted vserver "root" user cannot stop IP forwarding for instance? I do
> not understand all the things that can be controlled via these capability
> bits, so please bear with my newbie questions :-)

this depends on the /proc entry. it is a combination of file
permissions and capabilities.

-chris

• Next message: Kyle Hayes: "Re: vserver LSM progress"
• Previous message: Rik van Riel: "Re: integration with LSM ?"
• In reply to: Kyle Hayes: "Re: vserver LSM progress"
• Next in thread: Kyle Hayes: "Re: vserver LSM progress"
• Reply: Kyle Hayes: "Re: vserver LSM progress"