From: Sascha Silbe (sascha-news-NOSPAM_at_silbe.org)
Date: Sun 01 Dec 2002 - 02:14:08 GMT

• Next message: Sascha Silbe: "[vserver] set_ipv4root, CAP_NET_ADMIN and docu"
• Previous message: Sascha Silbe: "[vserver] set_ipv4root, CAP_NET_ADMIN and docu"

Hi!

Note that the new system calls (new_s_context and set_ipv4root) are not
controlled by capabilities. They are by nature irreversible. Once a virtual
server is trapped in a chroot/s_context/ipv4root box, it can't escape from
the parameters of this trap.

asmlinkage int sys_set_ipv4root (__u32 ip[], int nbip, __u32 bcast)
{
[...]
        }else if (ip_info == NULL
                || ip_info->ipv4[0] == 0
                || capable(CAP_NET_ADMIN)){
                // We are allowed to change everything
                ret = 0;

So the docu says no capability enables one to break out of ipv4root, but the
source suggests otherwise.
Am I missing some important fact or is it a mismatch between theory and
practice?

CU/Lnx Sascha

-- 
Registered Linux User #77587 (http://counter.li.org/)
bomb terrorist afghanistan PGP encrypt CIA FBI BND MAD StaSi anschlag strike sex pussy xxx kill bj hitler Gates MS Windows ZV ZDV

• Next message: Sascha Silbe: "[vserver] set_ipv4root, CAP_NET_ADMIN and docu"
• Previous message: Sascha Silbe: "[vserver] set_ipv4root, CAP_NET_ADMIN and docu"