From: David Wagner (daw_at_mozart.cs.berkeley.edu)
Date: Wed 09 Jan 2002 - 04:06:45 GMT
Jacques Gelinas wrote:
>I have reviewed jail a bit. What should we add in our project to make it
>a superset of jail ? [...]
One idea might be control over how jailed processes can access the
network. This is not directly supported in BSD's jail, but two students
in a security class I taught suggested the following clever trick to
support this functionality: create a jail with a new IP address (using
IP aliasing), put the process in this jail, and ensure the process can't
access any other IP addresses. Then you can restrict how this process
can use the network by creating IP firewalling rules that mention the
jail's IP address. For instance, you can configure sendmail so that it
is only allowed to send and receive incoming packets on port 25 and 53.
I imagine vserver could support this easily (if it doesn't already).