On 8/13/05, Serge E. Hallyn <[EMAIL PROTECTED]> wrote: > The latest version (which is still quite old) is at > http://www.sf.net/projects/linuxjail and does have ipv6 support. The last > time I submitted it, Christoph had objected to the way the networking was > done in general. I've tried twice to float a generalized "per-process > network namespaces" patch, but haven't really found a good approach. > > I suspect that the best approach would be to take the linux-vserver > ngnet implementation and convert it to a standalone network namespace > plus virtual network device implementation. Do you care to give this > a try? > > thanks, > -serge
Why would you want a virtual network device implementation? The whole point of jail() is a replacement for chroot() for housing untrusted root processes in a lightweight manner as reasonable. I think in one way at least, I have restricted the manner of jail behavior better than the current linuxjail, by turning off capabilities rather than blocking mknod(), mount(), etc. I do like the idea of patching in through LSM, however not everything can be done there. In particular, I could escape from the jail as implemented there by a classic chroot() trick. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
