Re: access to proc filesystem from chrooted process

Jeremy Fitzhardinge (jeremy@goop.org)
Tue, 25 May 1999 11:27:27 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Peder O. Klingenberg: "Re: tool to browse thru kernel source code"
Previous message: Tim Waugh: "[PATCH] 2.2.9: block_read bug"

On 25-May-99 Peri Hankey wrote:
> Hi Jeremy
>
> On 19 May I wrote to the mailing list in general:
>> There is a suggestion in the kernel sources that a chrooted process should
>> only
>> be able to see processes that have the same root or that have a more
>> restricted
>> root.
>>
>> The comment is in the source for fs/proc/inode.c:
>>
>> http://lxr.linux.no/source/fs/proc/inode.c?v=2.3.3#L161
>>
>> 169 * XXX TODO: use the dentry mechanism to make off-limits procs simply
>> 170 * invisible rather than denied? Does each namespace root get its own
>> 171 * dentry tree?
>>
>> I wondered if anyone has done this, and whether there are plans to include
>> this in the main source tree.
>
> Looking again at the source, I see that this useful comment seems to have
> come
> from you. So I wondered whether you had done anything along these lines or
> know
> of anyone who has?

I haven't, but I don't think it would be too hard. I didn't really see the
point, since there's so many other vectors through which you can see outside
the chroot domain - signals, for example, can tell you about what other
processes exist, and who owns them (to some extent).

I thought it was sufficient to merely make proc respect the chroot domain and
leave it at that.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Peder O. Klingenberg: "Re: tool to browse thru kernel source code"
Previous message: Tim Waugh: "[PATCH] 2.2.9: block_read bug"