Hmm. Two years ago I made a proof-of-concept implementation to solve the
latter problem. The approach was a bit different - not based on global
group-id based settings, but based on a new resource limit, RLIMIT_BIND.
Semantics would be that once locked to a specific IP address with RLIMIT_BIND,
a process and all its children would never receive connects, or bind sockets,
to a different local address.
As we'll need something like that in a 2-4 month time frame, for a shared
web-developer box, I'd be willing to work on the details, together with you.
Anyone else who wants to be able to extend the traditional chroot in a way
that would allow running a virtual environment where each "sandbox" has
its own pseudo-init, assorted set of daemons, and virtual root user that
manages "his" machine? Is there prior art for that, somewhere on the web?
Regarding a /proc based interface, some days ago and for a different
project, I decided to go for a /proc/sys/net/... interface. There's need
for one additional support function in fs/proc/sysctl.c, which copies in
strings into the kernel to local (stack based, arbitrary pointer) storage
instead of a global variable; then, you can parse that and use it all you
like. The kernel->user part can be handled analogous to other /proc/net/...
stuff - see the end of net/ipv4/ip_fw.c for examples.
regards
Patrick
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/