On 26/08/2015 18:20, Etienne Champetier wrote:
>
>
> 2015-08-26 15:48 GMT+02:00 John Crispin <blo...@openwrt.org
> <mailto:blo...@openwrt.org>>:
>
>
>
> On 26/08/2015 01:00, Etienne CHAMPETIER wrote:
> > This patch series rework a bit ujail,
> > and add capabilities support to it
>
> nice
>
> >
> > Seccomp filter are very powerful but not totally generic,
> > each arch can have different set of syscalls,
> > each libc can use different syscall for the same function,
> > and seccomp isn't supported on all arch.
> >
> > Capabilities are more high level, but still can restrict
> > jail to a sane minimum of privileges.
>
>
> >
> > Patch 4 is a bit big and i can split it if needed, just tell me how
>
> will have a closer look next few days
>
> forgot to say it's tested on ar71xx with CC (and also on ubuntu 14.04)
>
>
> there seem to be a way to escape from the rebind mount jail that QCA has
> found
>
> more than one ;) can you share? (with root rights you can kexec, mount
> /dev, ...)
well if you are root you are root and can delete the bootloader. the
idea of the jail is that you are not root.
i will prvide details later on
> that's why you really need to limit rights with capabilities drop or
> seccomp filter
> (i'm adding a vague warning in usage)
why do you want to run a privileged user and restrict is perms rather
than just use an unprivileged user ?
>
>
> and i have not had the time yet to finish my jailfs module.
>
> with my patches you don't see all the bind mount anymore ("in the host"),
> they are only in the jail mount namespace.
>
> to see the mounts inside the jail you can still do
> cat /proc/<jailed process pid>/mounts
we dont want rebind mounts at all, they were only an intermediate solution
>
> it
> runs and loads, i can do mounts and access files inside them using
> normal shell calls. however if is point a jail instance at the
> mountpoint it oops horribly. i suspect that i am either using vfs wrong
> or am missing locking/ref-counting somewhere. i'll throw the code onto
> github later today or tomorrow and post the link. maybe someone with
> more knowledge of vfs can help fix it.
>
> what problem are you fixing with jailfs? (real question/to be sure there
> is no simpler solution)
>
jailfs is similar overlayfs as it has a lower dir that we overlay but
now with changes but with a set of filter rules ... consider it like a
firewall for file i/o
>
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
